One of the deplorable components of the Russian aggression toward Ukraine has been resumption of cyber-attacks on the electrical grid. This has highlighted the vulnerability of the electrical distribution network to this kind of attack. The Computer Emergency Response Team of Ukraine disclosed that a Russian hacking group has recently attacked the grid’s industrial control systems.
The attack methodology is commonly called CrashOverRide or Industroyer. It is targeted at industrial control systems, specifically electrical grids. It is configured to use fieldbus protocols for communication with controllers and devices.
How the CrashOverRide works
The attack on the Ukraine used a multi-stage process commencing with an account takeover to gain administrative access to control systems. It has not been revealed how this was achieved, possibly by credential-stuffing with commonly used passwords or with insider assistance. It was revealed that the electricity grid management operation still uses antiquated systems, incapable of supporting modern networking and security technology.
Once access to a networked device has been achieved, the hacker installs a CrashOverRide module on a system capable of communicating directly with a PLCs or HMI device to change settings, operate actuators, or stop the controller altogether.
The chronic problem of OT infrastructure
The lesson is clear: the electrical grid continues to be vulnerable. This is a chronic problem with OT infrastructure where an ‘if-it’s-not-broken-don’t-fix-it’ approach is often the corporate strategy. Change is more difficult in the electrical generation and distribution sector where critical infrastructure regulation restricts the options available to management.
For instance, regulation maintains a strategy of IT/OT isolation by prohibiting direct network interconnection. If the need for a file transfer warrants it, staff must resort to manual transfer via secure storage media.
What can be done?
But, while change is not for the faint-hearted, it is eminently possible and the briefest of cost/benefit analysis supports increasing cyber-protection:
- The plan for retirement of legacy systems should be accelerated. There is no excuse for the continued use of Solaris. While choosing an upgrade path is complex it must be done.
- Communication between control systems and devices should be secured. A basic PKI installation can avoid communication compromise.
- Monitoring solutions to detect communication anomalies on OT networks are available and effective. Once a baseline of normal communications has been achieved any change or interactive communication on the network is readily detectable.
- Detection of a change of status for a controller, which might indicate a firmware update, is basic and should be implemented.
- Uni-directional gateways are a promising technology that can securely support near real-time monitoring of OT infrastructure via corporate SOC and SIEM tools.
The war has served to highlight the problem; can it provide the motivation to fix it?