Recent attacks on Ukraine’s power grid mark an escalation in hostilities whose implications need to be noted across industry, writes Richard Piggin.
On 23 December 2015, Ukrainian media reported that a cyber-attack had left half of homes and 1.4 million people in the country’s Ivano-Frankivsk region without electricity. Although services were restored within hours, this was largely due to manual intervention rather than by recovering automation systems. Slovakian security firm ESET reported that the initial incident was not isolated, and that multiple electricity companies had been affected. Ukraine blamed Russia.
The US Industrial Control Systems Computer Emergency Response Team (ICS-CERT), working with its Ukrainian counterpart CERT-UA, confirmed the presence of Black Energy 3 malware. A further investigation by a US inter-agency team found that the power outages were caused by remote cyber intrusions at three regional electricity-distribution companies. Three other organisations experienced intrusions, but were unaffected. The cyber-attack followed extensive reconnaissance of victims’ networks and was synchronised and coordinated, with attacks occurring within 30 minutes of each other.
While physical damage is rare, reconnaissance of the power grid has been widely reported, prompting warnings of conventional retaliation from the US and the development of America’s Cyber Security Framework for critical infrastructure. The Ukraine event is significant because it is the first confirmed cyber-attack on the grid. The companies believe that remote access credentials were acquired in advance. Afterwards, some systems were wiped by executing KillDisk malware, which erases selected files and corrupts the master boot record. In at least one instance, Windows-based human-machine interfaces embedded in remote terminal units were also overwritten. The actors also made serial-to-Ethernet devices at substations inoperable by corrupting their firmware, and used a remote-management interface to schedule disconnects for server uninterruptible power supplies.
The ICS-CERT alert is another warning about a sophisticated malware campaign that has targeted industrial control systems back to 2011 and whose perpetrators have a deep knowledge of industrial software and protocols.
Although it can be difficult to attribute these attacks, publicly available evidence clearly demonstrates increasing risk. The latest US ICS-CERT ‘Year in Review’ report shows a 20 per cent increase in reported ICS cyber incidents last year, as well as confirming that cyber-attacks against manufacturing companies doubled.
Connectivity between the IT and OT environments has dramatically increased given the demand for business optimisation, facilitated by technology convergence. Attacks can move laterally between the previously isolated ‘air-gapped’ environments, increasing risk.
Credit rating agencies, insurers, merger and acquisition consultants and lawyers are all likely to demand evidence of an ICS-focused cyber-security strategy, governance, supply chain management and risk-based measures. Since cyber events are inevitable, well-developed incident response plans are essential.
What measures might provide suitable evidence that ICS systems have appropriate protection? Collaboration and information sharing are highly recommended via the UK Control Systems Information Exchanges and CERT-UK’s Cyber-Security Information Sharing Partnership.
The UK government’s Centre for the Protection of National Infrastructure (CPNI) has recently issued updated guidance on securing ICS, and there are more complex security standards that might be applicable. However, a more simplistic approach such as Cyber Essentials for ICS is likely to be followed in the absence of suitable accreditation.
The Seven Steps to Effectively Defend Industrial Control Systems is a starting point for manageable good practice along with an in-depth defence strategy. Similarly, a list of 10 basic cyber security measures developed for water utilities offers complementary guidance, with advice for successful programme implementation.
Dr Richard Piggin CEng MIET is a capability manager with Atkins and chair of the IET’s Cyber Security Community (communities.theiet.org).