How to Thwart A BlackEnergy Type Malware Attack in Electric Utilities

Nation-states interfering in the utility grids of other nations

We have seen a trend recently with nation states interfering in the utility grids of other nations as a precursor to invasion or war. The nation state will go in and disable the utilities in order to cause general confusion and mayhem before they start their physical attack. This is what happened in the Ukrainian power plants in 2015.

The Sandworm Team, a cyber group based in Russia, is widely believed to have been behind the BlackEnergy (BE) malware attack impacting approximately 225,000 Ukrainian customers. Using the Crash Override (or ‘Industroyer’) malware frameworks the Sandworm Team sent malicious commands to the programmable logic controllers (PLCs) at the Ukrainian power plants that bricked these devices with malicious firmware so that they could no longer be reprogrammed to work properly. They also disabled their telephone communications at the utility, which successfully thwarted a coordinated response to the malware attack.

This was similar to the Stuxnet attack that embedded itself into the Natanz nuclear facility in Iran and evaded detection. Once they gain entry, these threats are persistent in the network. Even if removed from one machine, the malware will simply move to another endpoint on the network. This type of malware deletes logs and hides its tracks, so you cannot detect their presence. 

The BlackEnergy attack impacted PLCs, remote terminal units (RTUs) and other SCADA (supervisory control and data acquisition) devices that are essential to running power plants and other large industrial facilities. These tiny embedded computers at the edge of the utility company’s network perform dedicated functions such as controlling the speed of a turbine, operating generators, transformers, cooling towers, and smart grid sensors.

It can be assumed that most advanced nations have their own advanced persistent threat (APT) force or hacking groups that are looking for these vulnerabilities in critical infrastructure around the world.

What saved the Ukrainians was that they had continued to conduct manual operations of their power plants alongside the automatic operations that characterize most modern power plants. Because of this they were able to switch the plants over to manual control as a stopgap solution for their control network being down. This allowed them to stay somewhat operational while they investigated and contained the malware threat.

In the US we haven't used manual operation for several decades. The people with knowledge of how to manually operate a power plant are long gone. If we had to fall back on manual power, we would be extremely vulnerable to this type of attack.

A Last Line of Defense Solution is Needed

In addition to a comprehensive end-to-end defense, a last line of defense is needed to protect our power plants’ vulnerable devices. This last line of defense should sit in front of devices and validate the commands going to them. So, if a PLC is getting a command to turn its motor on and off, that command is actually being validated in real-time.

This provides operators with the ability to create a whitelist of allowed commands for controllers, while preventing and/or alerting on any commands that fall outside of what is allowed. For example, restricting equipment from accepting commands exceeding a certain range because the consequences could be catastrophic.

This solution should be easy to implement, seamlessly fitting into the control environment, to shield critical infrastructure against cyberattacks without interruption. It should surpass the basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity.

3eTI’s CyberFence CIP series acts as a last line of defense to protect these industrial devices that are vulnerable.  It sits in front of them and validates all of the commands going to that controller.

Malware response needs to be examined as part of a holistic risk assessment within a complete end-to-end solution. No single device can solve all of the problems described above; only a last line of defense approach will provide the requisite protection and should be used as part of a robust and layered cyber-physical defense.

Get updates in your mailbox

By clicking "Subscribe" I confirm I have read and agree to the Privacy Policy.

About JMRConnect

JMRConnect is an award-winning public relations, digital and influencer communications agency that helps brands connect to their target audience.

"Employee Advocacy Platform, CEI, Wins 2017 SABRE Award for "Best Marketing Technology"

"The most proactive agency I've ever worked with!" - Samantha Osowski, SVP Marketing for Yorktel

Our clients' successful campaigns are marked by tier-1 media coverage, thought leadership, 3rd-party recognition, and multi-channel visibility. Engaging both internal and external stakeholders transforms friends, followers, and industry leaders into loyal brand advocates.

"Shaping Influence Worldwide®: A trademarked, 360-degree approach to telling your brand's story with focus, consistency and authenticity, across every medium."

Social media has changed both how, and from where people receive and consume news and information. For advocacy to be effective, messages must not only reach your target audience, but also resonate across multiple channels to impact opinions, build brand trust, and solidify reputations. Our 360-degree approach leverages traditional, interactive digital, and social engagement to tell your story with focus, consistency and authenticity, across every medium.