This afternoon the DHS ICS-CERT published an incident
response alert for the power outages in the Ukraine that occurred on December
23rd, 2015. ICS-CERT reports that “that power outages were caused by
remote cyber intrusions at three regional electric power distribution companies”.
The Report
ICS-CERT reports that the attacks on multiple facilities
occurred within 30 minutes of each other. The actual power outage was caused by
attackers remotely shutting off breakers either thru “existing remote
administration tools at the operating system level or remote industrial control
system (ICS) client software via virtual private network (VPN) connections”. To
hamper recovery efforts, the attackers:
• Used KillDisc malware to
over-write HMI interfaces embedded on remote terminal units (RTU);
• Corrupted firmware on
Serial-to-Ethernet communications devices at substations; and
• Scheduled disconnects of UPS devices via their
remote management interfaces.
The Alert also reported the
previously
identified fact that BlackEnergy malware had been detected on systems of
the affected utilities, but ICS-CERT noted that they “do not know whether the
malware played a role in the cyber-attacks”.
The report contains a relatively lengthy section on
mitigation measures for industrial control systems. In addition to the measures
reported in the ICS-CERT defense-in-depth strategies
publication,
the report recommends:
• Implementation of information
resources management best practices;
• Develop and exercise contingency
plans that allow for the safe operation or shutdown of operational processes in
the event that their ICS is breached;
• Use Application Whitelisting
(AWL) to detect and prevent attempted execution of malware uploaded by
malicious actors;
• Isolate ICS networks from any
untrusted networks, especially the Internet; and
• Limit Remote Access functionality
wherever possible.
The report concludes by reporting that in addition to the
previously identified YARA rules for the identification of BlackEnergy
infections additional indicators of compromise developed for this incident can
be found in a restricted distribution (TLP Green) publication (IR-ALERT-H-16-043-01P)
on the US-CERT Secure Portal.
The Response
The response on TWITTER® was fairly quick this afternoon and
was generally less than positive. Most of the negatives were about the lack of
detailed data and the references in the report to the lack of technical
information available to investigators. A good summary of these concerns about
the report deficiencies has been provided in a
Sans
blog post by Robert M. Lee.
A major concern seems to be that this is more of a political
document than a technical report. It has been suggested that the information in
this alert should have been releases weeks ago by a political appointee and
that this report should have provided more technical analysis that would aid
system owners in the United States in detecting, delaying and stopping this
type of attack.
Commentary
While certainly overdue (the facts in this report have been
publicly reported by a number of cybersecurity organization weeks ago) this
report is important because it is an official statement by the US Government
that a successful cyber-physical attack did take place against electrical
utilities in the Ukraine. What is missing from that declaration, however, is an
equally clear statement that a similar successful attack could occur in the
United States.
The mitigation measures suggested by this report are
important tools in preventing a malware based cyber-attack. What is missing is
an admission that even if these measures (with one exception) had been in place
in the affected utilities, that the attack would still have been successful.
None of the security measures address the fact (not reported here) that the
BlackEnergy malware that was put into place by a phishing attack allowed the
attackers to gain authorized access to the control systems to execute their
attacks that shut down the breakers.
The only mitigation measure mentioned that might have
addressed this attack avenue is found in one sentence: “Remote access should be
operator controlled, time limited, and procedurally similar to ‘lock out, tag
out’.” Even this may not have been adequate since the attackers were using
operator level access. A more expansive discussion of what the terms ‘operator
controlled’ and ‘time limited’ actually mean may have shown how they could have
been used prevent this attack.
The main point of that mitigation measure should have been
that remote access should be viewed as a non-standard condition that requires
formal management risk assessment and approval; the well-established ‘lock out,
tag out’ process. Systems legitimately requiring remote access should have to
be taken off-line, physically isolated from the controlled process and then
have to be verified operational before they are placed back in-line. This would
have stopped the actual attack that shutdown power distribution in the Ukraine
in December.
If the ICS-CERT restricted distribution report does have
more complete (and effective) indicators of compromise (IOC) than just the
BlackEnergy YARA rules, it is disappointing that those indicators were not
released in today’s report. Certainly, the initial distribution of IOC, should
be limited to critical infrastructure facilities that are likely to be affected
by a similar attack. This allows those facilities to take effective measures to
search their systems for such indicators and take appropriate mitigation
measures.
At some point, however, the remainder of the control system
community (owners, vendors, researchers and commentators) needs to be made
aware of those IOC. This would allow owners of non-critical infrastructure to
take measures (as appropriate) to prevent such attacks on their systems. More
importantly it would allow for a more general discussion of the associated vulnerabilities
that could lead to prevention of related attacks or development of more
effective or cheaper mitigation measures.
We all have to remember, however, that this is the first
time that ICS-CERT was allowed to report on an actual successful control system
attack resulting in a cyber-physical effect. For what appears to be obvious
reasons in hind-sight, ICS-CERT effectively ignored Stuxnet. So, ICS-CERT (and
the politicians that control it) are still trying to figure out what they are
going to do with actual, clearly identified attack information.
If, as it appears, ICS-CERT is withholding information at
this late date (two months since the attack) about details of indicators of
compromise, it bodes ill for the DHS mandate to establish a cybersecurity
information sharing process. Information about IOC is the main thing that the
private sector wants from DHS. If they are not willing to share that
information, there is no need for the private sector to share information about
attacks with DHS.