Malware was recently identified that appears to have been designed and deployed by a nation-state to target and shut down electric grids.
According to published reports, this malware currently appears to be capable of attacking the European grids, and parts of the Middle East and Asia grids, by targeting the specific industrial control system (ICS) network protocols used to operate those grids. With small modifications, the malware reportedly also appears to be capable of attacking the North American power grid, as well as other industries that use ICS networks (e.g., oil, gas, water, data) around the globe.
The malware, called “CrashOverride” or “Win32/Industroyer,” appears to pose the most significant cyber-based threat to a physical industrial process since the Stuxnet malware was reportedly used in 2009 to physically damage Iranian uranium enrichment centrifuges. A report issued by a cybersecurity firm earlier this week analyzed the malware and found that it is very likely the same type of malware that shut down portions of the Ukraine electric grid in December 2016. The purpose of the malware seems to be limited to causing power outages. Notably, the malware is also reportedly capable of delaying restoration actions, including by erasing ICS network software, and deleting traces of the malware after the attack, preventing effective forensics.
It would be prudent for counsel advising affected industries to confirm that appropriate steps are being taken to exercise vigilance in light of this new information, for example by appropriate personnel taking steps now to review and mitigate system vulnerabilities; monitor for indicators of an attack; and prepare for and respond to this type of an attack.
Protecting against the threat
The types of security measures that are appropriately taken to help protect against this threat are likely to evolve as more information becomes available. Key measures that we recommend companies confirm are in place include the following:
- Vulnerability management. Vulnerability management in general should be reviewed on a routine basis, but specific patches can be implemented to better protect ICS networks. The CrashOverride malware, as analyzed by the security firm ESET, relies on a vulnerability in the Siemens equipment known as a Siprotec digital relay. Siemens released a vulnerability patch in July 2015, and ICS operators should review such systems and apply the patches, if they have not already.
It has been publicly reported that Stuxnet infections continued to persist on unpatched systems years after the Iranian centrifuge incident, so now is the time for ICS operators to prevent similar issues with CrashOverride.
Further, on 12 June 2017, Microsoft provided patches for a number of older systems and programs, which it had previously announced it would no longer support. Microsoft’s reversal of policy was in part due to concerns that the older systems and programs remained vulnerable to recently discovered exploits, which reportedly target these systems and programs. While the recently discovered exploits are not specific to CrashOverride, effective vulnerability management can help organizations guard against a variety of malware.
- Monitoring. Information security team should monitor for new variants of the malware and take action to maintain protection against those new variants through deployment of updated malware signatures as they become available. Because the malware may evolve variants quickly, behavioral detection of potentially malicious activity is recommended by security experts–by establishing a baseline for normal system activity, anomalous behavior or patterns can be detected, even if the malware signature is novel.
- Containment and recovery plan. In the event that systems are compromised, as a priority action contain the affected system as quickly as possible, while otherwise activating your organization’s incident response plan.
- Backups. Steps should be taken to preserve and protect backup copies of ICS operating software and key engineering files separate and apart from operational systems and offline, to allow for a quick recovery if the malware deletes the operational copy of the ICS operating software.
- Response plan. Consider now how your organization would likely address key issues raised by a cyber-attack causing a total or partial shutdown of services, such as whether personnel must be physically deployed to substations to implement response, containment, and recovery efforts; when and how to interact with government authorities and law enforcement; and the process by which to safely restore operations, particularly in the context of an ongoing attack. Event and outage response plans, for any reason, should specifically include considerations for a timely response to a cyber-attack. In the United States, entities that have been notified that they are owners and operators of cyber-dependent infrastructure at greatest risk (i.e., are on the “Section 9 List’ under Executive Order 13,636), should also consider taking steps to engage appropriate government representatives for assistance.
To read more about CrashOverride:
- Dragos, “CrashOverride: Analysis of the Threat to Electric Grid Operations” (12 June 2017)
- US-CERT: Alert (TA17-163A), “CrashOverride Malware” (Updated as of 13 June 2017)
- Washington Post, “Russia has Developed a Cyberweapon that can Disrupt Power Grids, According to New Research” (12 June 2017)
- Motherboard, “The Malware Used Against The Ukrainian Power Grid Is More Dangerous Than Anyone Thought” (12 June 2017)
- Wired, “‘Crash Override’: The Malware That Took Down a Power Grid” (12 June 2017)