Recently, it was reported that North Korea was exploring ways to penetrate our electrical grid – most likely to position the country to launch a preemptive or retaliatory cyber-attack. The article, available at www.securityinfowatch.com/12374400, describes a spear phishing attack sent to people in the electric utility industry that used fake fundraiser invitations containing malware. The story suggests that this was the first such attempt by the North Koreans, although this technique has been used previously by Russian hackers.
As a refresher, spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
It is difficult for me to believe this North Korea’s first attempt; in fact, their cyber warfare capability has been clear for some time and gained notoriety after the Sony hack. If the Russians have the capability to take down a power grid, it is not an unreasonable assumption that North Korea has access to many of the same tools.
It is helpful to look at a recent set of events to understand how this can work, and a 2015 directed cyberattack on the Ukrainian power grid provides a good example. The attack cut power to 225,000 customers, followed by a smaller one a year later in Dec. 2016 in Kiev.
For integrators who help protect critical infrastructure, this is must-read and must-understand stuff; for integrators who service less regulated but still cyber-vulnerable clients, it should serve as an illustration of their responsibilities to help clients craft effective cybersecurity best practices.
Phishing Attack Leads to SCADA Exploit
The first steps in the Dec. 2015 attack in Ukraine were taken the previous spring with a spear-phishing campaign targeting IT staff and system administrators working for Ukrainian power distribution companies. A malicious Word document contained in the email, if opened, would display a popup asking users to enable macros in the document. The macros were designed to infect the target machine with a malware program called BlackEnergy3 and open a backdoor.
One infected, program enabled the hackers to establish a foothold and utilize keystroke loggers to perform login credential theft, and over the course of a few months, they conducted extensive reconnaissance by mapping networks and obtaining access to user accounts. Among the stolen worker credentials were those for VPNs used to remotely log in to the Supervisory Control and Data Acquisition (SCADA) network – used to monitor and control utility plants and related equipment. Hackers also reconfigured UPS systems to prevent them from coming back online once they were disabled.
On the day of the attack, the hackers entered the SCADA networks with the hijacked VPNs and sent commands to disable the reconfigured UPS systems; then, they launched a telephone denial-of-service (TDOS) attack against customer call centers to prevent calls reporting the outage. The combined attacks left the utility blind to what was happening.
Next, the hackers overwrote firmware with malicious programs on substation serial-to-Ethernet converters – designed to communicate serially (e.g. RS-232) from the SCADA network to the substation control systems. Without working converters, operators were unable to send remote commands to close the breakers to restore power – requiring them to travel to substations to physically close them.
After they had completed all of this, hackers then used a piece of malware called KillDisk to wipe files from operator stations to crash and to render them inoperable. Because the malware also overwrites the master boot record, infected computers could not reboot. For further analysis on the attack from SANS and E-ISAC (Electricity Information Sharing and Analysis Center), visit www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
All this from an employee opening a single malware-infected email attachment!
U.S. Power Grid Vulnerabilities
Experts suggest that control systems in Ukraine were more secure than some in the U.S., because they were segmented via firewall from the control center business networks. The SCADA network, however, had no requirement for two-factor authentication for workers logging in remotely – which enabled the attackers to use hijacked credentials to gain crucial access to the systems controlling the breakers. While Ukrainian operators had to manually reset breakers, some U.S. systems do not have this ability.
As the definitive SANS/E-ISAC report concludes: “The attacks highlight the need to develop active cyber defenses, capable and well-exercised incident response plans, and resilient operations plans to survive a sophisticated attack and restore the system. Nothing about the attack in Ukraine was inherently specific to Ukrainian infrastructure. The impact of a similar attack may be different in other nations, but the attack methodology, Tactics, Techniques and Procedures (TTPs) observed are employable in infrastructures around the world.”
Integrators with clients specifically in the utility market are encouraged to offer the following cybersecurity recommendations, culled from several sources – although most of them apply to clients in just about any industry:
- Identify, minimize and secure all network connections
- Disable unnecessary services, ports and protocols
- Enable available security features
- Implement robust configuration management practices
- Continually monitor and assess the security of networks and interconnections
- Implement a risk-based defense-in-depth approach to securing systems and networks
- Manage the human element, clearly identifying requirements, establishing performance expectations, holding individuals accountable, establishing policies; and providing security training for all operators and administrators.
- Use two-factor authentication for users where warranted
- Disable unnecessary remote access
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter: @RayCoulombe.
