By Katherine Brocklehurst
In June 2017, researchers disclosed a new family of sophisticated malware designed to target and disrupt industrial control systems (ICS) in power grids, specifically electric utility substations.
CRASHOVERRIDE (aka Win32/Industroyer) offers modules that use standard industrial protocol communications and can directly control switches and circuit breakers within Remote Terminal Units (RTUs) in substations.
The impact could range from a loss of power to forced “islanding” of substations. The latter occurs because of automatic safety mechanisms that kick in due to conditions created by CRASHOVERRIDE that are purposely designed for self-protection of grid operations.
This isn’t cataclysmic – outages could vary widely, lasting from hours to potentially a week. And, at least in the U.S., our power grid uses DNP3 (not included in CRASHOVERRIDE modules yet) and is reliably maintained by grid operations professionals who handle outages all the time.
However, if operators lose visibility and control because HMIs cannot remotely control the circuit breakers, there could be delays in restoring power. Crews would have to physically get out to the affected systems and even possibly sever communication links during recovery. This is why the CRASHOVERRIDE platform’s design and extensibility is highly concerning to ICS security professionals.
As described in a US CERT Alert (TA17-163A), CRASHOVERRIDE is a new, highly capable attack framework with modules that can be altered and extended for use in targeting many different critical infrastructure sectors – not just power grids.
CRASHOVERRIDE is only the second-ever known case of malicious code purpose-built to disrupt physical systems, the first being Stuxnet.
Dragos’ report also describes it as the first-ever malware “framework” or “platform” designed and deployed specifically to attack and disrupt physical industrial processes within electric grids. This malware also shows adversaries have gained detailed knowledge of grid operations and industrial communication protocols which can be extended to other industries and protocols.
What does all this mean to you, the security-minded ICS professional? CRASHOVERRIDE has no “easy button,” simple patches or workarounds, but there are key indicators, impacts and guidance. Here is what you need to know regardless of your industrial organization or critical infrastructure sector.
As of this date, ESET, Dragos and US-CERT do not define a specific attack vector for the initial infection of CRASHOVERRIDE. This means they can’t give us any definitive information on exactly how or by what methods the adversary achieves initial access and delivers the malware payload.
Phishing and spear-phishing emails have been successfully used in 91 percent of global malware transfers to infected systems, according to PhishMe’s 2016 report, and US-CERT advises to investigate potential honeypots as another possible means of malware transfer. These are two areas to consider beefing up your knowledge about and possibly doing employee security awareness training and education as a good preventive starter.
Dragos showed CRASHOVERRIDE offers various modules and four different industrial control system communication protocol modules:
• IEC 60870-5-101 (aka IEC 101)
• IEC 60870-5-104 (aka IEC 104)
• IEC 61850
• OLE for Process Control Data Access (OPC DA)
In addition, there are modules for:
• Denial-of-service (DoS)
• Backdoor/remote access
• Command and Control (C&C or C2) for periodic connection to the command server for updates
• Port scanning
• A wiper to hide its tracks, destroy files and even overwrite the boot sector so that the system cannot reboot itself
CRASHOVERRIDE’s modules have been designed to be extensible and all analysis agrees that modifications could be done to add other industrial protocol modules, such as DNP3; the most commonly used industrial protocol within North American power grids. DNP3 is also used in water/wastewater and certain applications within oil and gas, especially when communicating with field locations, like substations, pump stations and pipelines, etc. As of now, however, there are no known DNP3 modules in use.
Impacts on Grid Operations
The CRASHOVERRIDE malware is using international communication protocols and as such has immediate impact for electric grid operations in Europe, Asia and Central and South America. By extension, we should be on the lookout in the U.S. as noted in US-CERT Alert (TA17-163A).
These impacts include:
1. De-energizing substations
2. Denial of service over serial COM ports
3. Visibility into the entire ICS environment
4. Leveraging vendor-specific vulnerabilities
5. Wiper module rendering infected systems useless
How to Protect
Detecting and defending against CRASHOVERRIDE is not a simple task, particularly when there’s no clear initial method seen by researchers. Also, it’s not a single vulnerability, patch, or simple stage categorization on how it happens and exactly what to do.
If possible, all three referenced research documents on CRASHOVERRIDE should be read and considered for your environment. Share them with the IT department and consider how to work together to provide a holistic organizational preventive plan to maintain resilience and availability for plant operations in the face of such an advanced platform of malware.
Here are a few suggestions:
1. Know What Protocols Are in Use – Though your industry may not be in the energy sector and may not use industrial communication protocols targeted by CRASHOVERRIDE (IEC 101, IEC 104, IEC 61850, OPC), you should at a minimum know in advance what communication protocols are in use within your network, endpoints and control systems.
2. Prepare Your Defenses – Malware defenses and other preparations are recommended, such as those suggested in the National Cybersecurity and Communications Integration Center’s (NCCIC’s) Malware Trends analysis, Destructive Malware report and Seven Steps to Effectively Defend Industrial Control Systems. These are “must read” documents written by ICS professionals for ICS security professionals. Most definitely there will be training suggested for employees on phishing, spear-phishing, honeypots and other techniques used to transfer malware.
3. Look for Indicators of Compromise (IOCs) – The NCCIC/ICS-CERT advises that though this is still being investigated, there are downloadable IOCs available for reference in Alert (TA17-163A), ESET’s report and Dragos’ report also provided below from the Alert content. To search for these indicators you will no doubt need to get assistance (possibly from IT or other ICS cyber security experts) to assure no disruption occurs within your operations while investigating. C2 connections to the attacker servers represent the most obvious IOC. There are known addresses hard-coded within the malware and you can check to see if connections are being made from within your organization to these Command and Control server IP addresses from the ESET report. There are also indicators of compromise related to the scanning modules, DLLs (by name) that are present and other IOCs.
4. Validate That Appropriate Logging is in Place – This is essential to assist in finding suspicious activity while it’s happening as well as for forensics should you need it. More advanced capabilities of a Security Incident and Event Management (SIEM) system may be especially helpful to gather a correlated view of system events in your industrial network. These systems are typically passive and non-invasive to operations.
5. Test Backups and Restore Processes – Does your organization have backups and do they work upon restore? This should be tested because in many malware cases a backup is critical to bringing damaged systems back online. This is just a good basic practice.
6. Consider Proactively Getting Outside Help – You may require expert resources either from within your organization’s own IT department or even through outside consultancy. NCCIC/ICS-CERT is another resource you can email.
This is not a crisis, but it is highly concerning and does bear investigation and preparation. Most electric grids have been built for reliability, and current analysis is no U.S. sites have been publicly impacted. Early indications are if disruptions occur to grid operations, the outages could range from hours to a few days if multiple sites are affected and require crews to physically go to where the outages occur.
“Everything past single substation events and small islanding events…is purely speculation,” is one quote from Dragos’ report. However, as they say, hindsight is 20/20, and it will pay dividends to be better prepared for the growing sophistication of attackers.
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.