This afternoon the DHS ICS-CERT updated their alert on Black Energy that was originally published in October and most recently updated on February 1st. As with most of the updates that have been published, today’s modifies the way that the Yara rules for detecting Black Energy are listed.
Today’s update provides a link to the latest version of the Yara tool on GitHub, a separate text file for the Black Energy signature and the Yara documentation site.
It certainly seems like ICS-CERT is going to be using the Yara tool for helping folks detect systemic attacks like Black Energy. While this looks like a very valuable tool for Windows® based systems (and a lot of ICS components are Windows based) ICS-CERT notes that there may be problems in using this tool on other ‘high-end’ ICS components and it almost certainly cannot be used on ‘the majority of field devices’.
It would be extremely helpful is ICS-CERT could do (or have someone else do) some additional research on the use of the Yara tool on some common control system components. This would allow them to provide more information than just the two sentences provided in the Alert:
“Test the use of the signature in the test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.”
The use of tools like Yara will be very valuable as the ICS threat environment continues to get more complex. ICS-CERT should be a leader in developing the use of such tools and helping get them into use in the field. Lacking their leadership, we are going to have to rely on vendors to develop these types of tools for specific use on their systems, and I don’t see any beyond maybe the top three or so having the resources to do that.