Ukrainian Power Grid Hack: 9 Questions

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.databreachtoday.com/ukrainian-power-grid-hack-9-questions-a-8781

Reports to date about the hack of Ukrainian energy supplier
Prykarpattyaoblenergo last month have so far left many crucial questions
unanswered. Who was responsible? Did malware
<http://www.databreachtoday.com/anti-malware-c-309> directly trigger a
three-hour blackout? Are other power suppliers are at risk from similar
attacks (see *Ukrainian Power Grid: Hacked*
<http://www.databreachtoday.com/ukrainian-power-grid-hacked-a-8779>)?

The Computer Emergency Response Team of Ukraine - CERT-UA - has confirmed
to Information Security Media Group that that it is investigating the
blackouts, which involved hackers gaining remote access
<http://www.bankinfosecurity.com/whitepapers/challenges-integrating-ot-in-oil-gas-industry-w-1917>
to power production systems. The agency also confirms reports that the
BlackEnergy espionage Trojan - and KillDisk wiper malware
<http://www.databreachtoday.com/interviews/wiper-malware-what-you-need-to-know-i-2526>
- infected systems of the hacked energy supplier, which suffered a
three-hour electricity blackout on Dec. 23, after multiple electrical
substations went offline, leaving about 1.4 million homes in the country's
western Ivano-Frankivsk region without power. Ukrainian officials have
blamed the blackout on Russia, but as yet released no evidence to back up
that claim.

Multiple cybersecurity <http://www.databreachtoday.com/cybersecurity-c-223>
experts say that these are the questions they're now asking in the wake of
the Ukrainian hack attack reports:
1. Who's Surprised?

Cybersecurity experts have warned for years that the supervisory control
and data acquisition - SCADA - systems that provide remote control and
monitoring of industrial environments are too often insecure, yet also
Internet-connected and easy pickings for would-be hackers.

Indeed, a 2004 Congressional Research Service report
<https://www.fas.org/sgp/crs/homesec/RL31534.pdf> - prepared for the U.S.
Congress - includes warnings from industrial control system cybersecurity
expert Joe Weiss that the industry desperately needs to develop and
implement "firewalls, intrusion detection, encryption, and other
technology" to safeguard control systems. Such systems are used in numerous
industries, ranging from energy production and chemical plants to train
networks and inside aircraft.

More than a decade later, however, Weiss says too little has been done, and
that the industry continues to build, deploy and rely on systems that
remain too easy for attackers to remotely exploit. "The real question," he
says, is "why are people so unprepared for cyber threats to industrial
infrastructures?"

Making such systems remotely controllable also hasn't led to increased
security, warns Mark Weatherford, chief cybersecurity strategist for data
security firm vArmour, and a former Deputy Undersecretary for Cybersecurity
at the U.S. Department of Homeland Security, as well as CSO for NERC, the
North American Electric Reliability Corp. "There are still too many control
systems connected to the Internet," he says. "It's convenient and makes
economic sense, but it's dumb from a security perspective." He urges anyone
who's operating an Internet-connected ICS to "at least be monitoring egress
attack paths to see what is leaving," as well as to plan "in advance" how
they'll respond if they do suffer an attack.
2. Did Wiper Malware Directly Trigger Blackout?

What's still not yet known about the Ukraine hack, however, is exactly how
the attack and the blackouts might be connected. So far, CERT-UA has
confirmed a report from security firm ESET
<http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/>
that BlackEnergy had been used to install wiper malware called KillDisk,
a.k.a. Disakil
<http://www.symantec.com/connect/blogs/destructive-disakil-malware-linked-ukraine-power-outages-also-used-against-media-organizations>,
which is designed to delete computer hard drives and leave systems
unbootable.

"I am still trying to piece this together," says Dublin-based information
security consultant Brian Honan, who is a cybersecurity adviser to the
association of European police agencies known as Europol. "We have reports
of a power outage and reports of systems being infected with a computer
virus, but no connection - at least a publicly acknowledged one - that the
two are related. In other words, how would a wiper-type virus stop the
station from producing power?"
3. Did Attackers Blend Techniques?

Michael Assante, formerly a CSO at NERC, says in a Jan. 5 SANS Institute
newsletter that attackers likely blended multiple techniques to trigger and
extend the disruption. "A file-wiper function can certainly disrupt the
SCADA system, but that alone does not account for the outage," he says. "We
suspect an attacker manually interacted with an infected machine, like an
HMI - human-machine interface - to command breakers to open," although adds
that this is still just a theory. "The wiper function could then have been
used to extend the outage by denying the SCADA system, but the impacted
Ukrainian utility was still capable of resorting to manual operations to
re-close breakers and energize their system."

He also referenced reports that the Ivano-Frankivsk region suffered a
cellular telephone network denial-of-service attack at the same time as the
power outages. Such an attack could have prevented energy operators from
remotely controlling the affected systems as well as coordinating their
response.

"The Ukraine has had power grid reliability problems in the past, so that
probably means they were dependent on remote access," Weiss says, noting
that such remote access may be provided just not via the Internet, but also
via cellular networks.
4. Was Ukraine Attack Targeted?

What's also unclear is whether attackers were directly targeting the
Ukrainian power supplier. "Was this a targeted attack, or did some systems
get infected in some way? If so how?" Honan asks. "Were the infected
systems Internet-connected? If so why? Are there other power stations
around the world running similar infrastructure that should take lessons
from this?"

If BlackEnergy malware - or another piece of malware that the Trojan loaded
onto infected systems - was used to disrupt energy generation systems, it
would represent an escalation in the types of attacks that have been seen
targeting energy firms (see *Hackers Target Energy Firms*
<http://www.databreachtoday.com/hackers-target-energy-firms-a-7012>).
"Until now, BlackEnergy has focused on exfiltrating information, not
infrastructure impact," Weiss says. He also cautions that such malware
"targets Siemens and GE systems," meaning it could be used to disrupt more
than just power providers.
5. Why Does Industry Still Lack Forensics?

One complicating factor when investigating these types of outages, however,
is that too many control systems still lack any kind of logging or
digital-forensic <http://www.databreachtoday.com/forensics-c-315> review
capabilities, Weiss says. "There have been many demonstrations of
vulnerabilities in control systems and there have been many control system
incidents - attacks and unintentional incidents. But we have minimal
control system forensics when you get below the Windows/IP layer," he says.
"So ... if the lights go out, you don't necessarily know if you've been
hacked."
6. Was Hack a Military Test?

While the Ukrainian blackout might seem like a nuisance-level type of
attack - no one was reportedly injured, nothing exploded - SANS Institute
director of research Alan Paller says that such disruptions have military
applications. "Cyber weapons can be pre-positioned inside power companies
to do the job of a missile, before a nation even knows it is under attack,"
he writes in the Jan. 5 SANS newsletter. "Once power and communications are
disabled, a country's ability to coordinate defense and mount
counterattacks is severely disabled."
7. Will Government Agencies Do Something?

But those risks have long been known, Weiss says, and regularly detailed to
the likes of Congress and the U.S. Department of Energy and Department of
Homeland Security. "Obviously, DOE and DHS haven't been very successful at
improving the cybersecurity of the electric grid, because our grids and
other critical infrastructure are still really vulnerable, and there have
been more than 250 actual control system cyber incidents to date," Weiss
says. "And are [those systems] vulnerable to BlackEnergy? Yes."
8. Will ICS Vendors Improve Their Security?

If government agencies have been ineffective, Weiss says ICS providers and
users often fail to identify many incidents as being cyber-related, as well
as to eliminate simple flaws from their products. This week, for example,
researchers presenting at the Chaos Communication Congress in Hamburg
released the latest version of SCADAPass
<https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv>,
which details hardcoded and known passwords in 100 different ICS and SCADA
products - including switches, controllers, programmable logic controllers,
Web servers, wireless management stations - from such manufacturers as B&B
Electronics, Emerson, Rockwell Automation, Samsung, Schneider Electric and
Siemens.

Last month, meanwhile, DHS warned that multiple Schneider Electric PLC
products <https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01> have a
zero-day vulnerability that attackers could remotely exploit to take
control of the devices. The devices are used in numerous different types of
environments, including power plants, nuclear reactors, and for water and
wastewater treatment.
9. What Will Trigger Changes?

If government agencies have so far proven to be ineffective at helping
bring about ICS security, Weiss says there's hope from another source:
ratings services (see *Moody's Warns Cyber Risks Could Impact Credit
Ratings*
<http://www.databreachtoday.com/moodys-warns-cyber-risks-could-impact-credit-ratings-a-8702>
).

"Moody's and Standard and Poor's and the insurance companies are beginning
to realize that cyber risks to critical infrastructure can be very
significant," Weiss says.

But he adds that too often, DHS has done too little, citing the example of
the recently revealed 2013 hack attack against a dam in Rye, New York, in
which Iranian hackers
<http://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559>
reportedly gained access to the dam's flood gates, although failed to gain
access to the full control system.

"DHS had not disclosed this information to the city of Rye for more than a
year," Weiss says. "The system is broken."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.