Belden : Ukraine Power Outage Exposes Industrial Networking Risk

Is Malware Really the Cause of the Ukrainian Power Outages?

ICS security expert Joel Langill has a different perspective:

It is technically possible, but highly improbable, that the BlackEnergy3 malware was used as the direct cyber threat that led to any denial of service or other consequences to the industrial control systems associated with the Ukrainian power systems.

I do believe however, that other unrelated cyber events such as communication buffer overflows, network issues, and potential software bugs were in fact key factors that led to the inability of the industrial control system to perform as intended, resulting in the widespread outage.

A report by the Energy Industry Research Center describes the Ukrainian electrical utility infrastructure as a '… rather old network, thus having a need to renovate.' This leads me to believe that the primary attack vector was most likely against networks and not end-devices. Networks are not typically the primary objective when using BlackEnergy malware.

It is unlikely that these organizations could have restored key ICS/SCADA components and stabilized the power generation facilities in such a short period of time if there was either a storage media erasure or installation of malware and rootkits. This signifies that the attack most likely did not actually penetrate the ICS architectures. This is not to say that BlackEnergy malware was not found within the ICS, as reports have in fact confirmed this, but rather that BlackEnergy was not responsible for disruption of normal ICS functions.

It is reasonable for one to confuse the fact that even though a particular company may have been breached by a cyber threat; the ICS architecture, networks, and components could have been completely isolated from the event and all components unaffected. This was in fact the case with Dragonfly and Shamoon.

The misinterpretation of data that we see in many open sourced incident reports is not uncommon. If we recall the sequence of events during the Dragonfly campaign of 2014, malware was in fact found within a very small number of energy organizations. It was never actually found in the industrial system components and networks of these organizations during the ICS phase of the attack.

What Does This Incident Mean for ICS and SCADA Security?

Whether you work for a utility or not, this attack raises alarm bells that we hope will cause you to review your cyber defenses, systems and processes.

If your organization has not already done so, you should check your business and industrial networks for BlackEnergy using an incident response tool such as Yara.

Then think about your ability to know what is normal for your network so you can rapidly detect abnormalities. This includes monitoring and logging communications that occur between industrial networks and external (office) / public (Internet) networks. In the Dragonfly malware campaign, for example, simply blocking outgoing unauthorized http traffic originating from the industrial control network would have mitigated the impact of the attack.

When was the last time you reviewed, updated and rehearsed your incident response plan (IRP)? You do have a site-specific IRP in place, don't you? In the case of the Ukraine disruptions, the speed with which the affected utilities re-energized their systems was notable. Especially since their call centers and SCADA systems were offline or not visible. Could your organization react as quickly in similar circumstances? Do you have a solid understanding of how you could 'disconnect' or 'isolate' some or all of your industrial networks and maintain plant operation?

While you're at it, when was the last time you updated your risk assessments? Should you be including threats from Offense in Depth coordinated attacks with cyber and physical components? How well are your critical systems protected from insiders or someone posing as a trusted individual using stolen assets?

What is the current state of your cyber defenses? Are you following up-to-date best practice policies and industrially focused security technologies?

For your benefit, below is a sample of recommend best practices. Download the white papers offered with this article and review the resources listed in the Related Links section for more information.

Table 1 - Partial list of effective defenses against Offense in Depth malware campaigns. Download the white paperDefending Against the Dragonfly Cyber Security Attacks for a more detailed list.

In short, even if you're not working for a utility, this event is a good opportunity to stand back and assess your cyber security defenses and processes. For critical infrastructure providers, it's vitally important to keep following the analyses of the Ukrainian power outage and learn the lessons it teaches us.

What are your thoughts on the Ukraine power outage? Does its occurrence impact your security strategy?

Joel Langill | @SCADAhacker Joel Langill is an independent security researcher, consultant, educator and creator of the website SCADAhacker.com.

He approaches cyber security in a fashion similar to industrial functional safety and his services help companies improve the security and reliability of their automation and SCADA systems. His successful book 'Industrial Network Security - 2nd ed' provides a comprehensive look at ICS security.

Related Content to Download

Related Links

Ukraine Power Outage Security Incident

Cyber Security Resources

Belden / Tripwire Products for ICS Security