The Sandworm Team, a cyber group based in Russia, is widely believed to have been behind the BlackEnergy (BE) malware attack impacting approximately 225,000 Ukrainian customers. Using the Crash Override (or ‘Industroyer’) malware frameworks the Sandworm Team sent malicious commands to the programmable logic controllers (PLCs) at the Ukrainian power plants that bricked these devices with malicious firmware so that they could no longer be reprogrammed to work properly. They also disabled their telephone communications at the utility, which successfully thwarted a coordinated response to the malware attack.
This was similar to the Stuxnet attack that embedded itself into the Natanz nuclear facility in Iran and evaded detection. Once they gain entry, these threats are persistent in the network. Even if removed from one machine, the malware will simply move to another endpoint on the network. This type of malware deletes logs and hides its tracks, so you cannot detect their presence.
The BlackEnergy attack impacted PLCs, remote terminal units (RTUs) and other SCADA (supervisory control and data acquisition) devices that are essential to running power plants and other large industrial facilities. These tiny embedded computers at the edge of the utility company’s network perform dedicated functions such as controlling the speed of a turbine, operating generators, transformers, cooling towers, and smart grid sensors.
It can be assumed that most advanced nations have their own advanced persistent threat (APT) force or hacking groups that are looking for these vulnerabilities in critical infrastructure around the world.
What saved the Ukrainians was that they had continued to conduct manual operations of their power plants alongside the automatic operations that characterize most modern power plants. Because of this they were able to switch the plants over to manual control as a stopgap solution for their control network being down. This allowed them to stay somewhat operational while they investigated and contained the malware threat.
In the US we haven't used manual operation for several decades. The people with knowledge of how to manually operate a power plant are long gone. If we had to fall back on manual power, we would be extremely vulnerable to this type of attack.
A Last Line of Defense Solution is Needed
In addition to a comprehensive end-to-end defense, a last line of defense is needed to protect our power plants’ vulnerable devices. This last line of defense should sit in front of devices and validate the commands going to them. So, if a PLC is getting a command to turn its motor on and off, that command is actually being validated in real-time.
This provides operators with the ability to create a whitelist of allowed commands for controllers, while preventing and/or alerting on any commands that fall outside of what is allowed. For example, restricting equipment from accepting commands exceeding a certain range because the consequences could be catastrophic.
This solution should be easy to implement, seamlessly fitting into the control environment, to shield critical infrastructure against cyberattacks without interruption. It should surpass the basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity.
3eTI’s CyberFence CIP series acts as a last line of defense to protect these industrial devices that are vulnerable. It sits in front of them and validates all of the commands going to that controller.
Malware response needs to be examined as part of a holistic risk assessment within a complete end-to-end solution. No single device can solve all of the problems described above; only a last line of defense approach will provide the requisite protection and should be used as part of a robust and layered cyber-physical defense.