On Dec. 23, a blackout hit the western part of Ukraine, affecting a region served by three power-generation centers. As the two power companies affected by the outage recovered, their support centers were inundated with fake phone calls, blocking legitimate customers from reaching the companies’s staff. Within hours, officials for the power companies concluded that a coordinated attack on their information systems, including malware that deleted infected systems, was responsible for the outages.
Industrial control system (ICS) security experts have since confirmed many of the details of the attack. While the companies recovered within hours, the impact of the attack will take far longer to become apparent, Robert M. Lee, a SANS-certified instructor and ICS security expert, told eWEEK.
For more than a decade, security researchers have warned manufacturers and power companies that their networks are vulnerable. Yet demonstrations tend to have a much greater impact and could convince other cyber-attackers to focus on power companies, he said.
“The big lesson here is that someone crossed the threshold of having an actual cyber-attack—not just an intrusion, or malware on the network—but that someone actually brought down a power system through cyber means,” said Lee, a former cyber-warfare operations officer for the U.S. Air Force. “That is an historic event, it has never occurred before, and there needs to be an international response by political leaders to talk about this because it sets a precedent going forward.”
While security professionals have often warned about the vulnerability of critical infrastructure, attacks continue to be relatively rare. While a variety of cyber-focused actors have begun targeting ICS environments, the lion’s share do not get past the front door. In its summary of incident response statistics, the ICS Cybersecurity Emergency Response Team (ICS-CERT) found that 69 percent of attacks in 2015 did not successfully gain access to any system within a critical-infrastructure organization. However, attackers are becoming more successful: 12 percent of attacks compromised control systems in 2015, compared with 9 percent in 2014.
“We’ve all known for years now the critical infrastructure has been vulnerable, but what has really made this an issue is the convergence of information networks connected to the Internet and the operational ICS networks,” Ed Cabrera, vice president of cyber-security strategy at Trend Micro, told eWEEK. “Companies want remote support and they want real-time metrics for billing, for example, but that accessibility exposes the networks to attack.”
While Ukrainian officials have blamed Russia for the attack—a likely scenario—there is no solid evidence of such a connection, according to the SANS Institute’s Lee. In addition, while the attacker used a common malware program known as BlackEnergy, along with a component that wiped the hard drives of infected systems, that capability is unlikely to have caused the outage, he said.
Yet critical-infrastructure firms and political leaders should take some powerful lessons away from the incident.
1. Critical infrastructure will be a target
Attacks on critical infrastructure have generally fallen into three categories. Security researchers have demonstrated significant vulnerabilities in the technologies and systems on which critical infrastructure firms rely. Malware infections have disrupted the information networks and systems at critical-infrastructure firms. And a very small number of nation-state attacks, such as Stuxnet, have led to actual physical damage.
Most attacks fail to gain access to critical systems, but more than half of critical infrastructure firms surveyed by Trend Micro saw an increase in attacks against their systems in 2015. Only 7 percent saw a decline.
Attacks on Ukrainian Power Providers Hold Lessons for the Future
Power companies are the No. 2 target of attacks, with about 16 percent of attacks focused on energy firms, according to the ICS-CERT report. Ninety-seven of nearly 300 incidents reported in 2015 targeted critical-manufacturing firms, 8 percent targeted companies responsible for water and another 8 percent focused on transportation-system providers.
Yet the demonstration of a successful attack on power companies may embolden attackers, Lee said. “Is this possible in the U.S.? Absolutely,” he said. “BlackEnergy has already targeted power companies in the U.S. However, the impact would have been different because we have a more hardened grid and a more secure system.”
Yet while blacking out U.S. regions would be more difficult for attackers, recovering from a blackout would be more difficult for the defenders because the responsibility for the U.S. power grid is distributed among many companies, he said.
2. Wiper malware increasingly used to hide tracks
Companies should also be ready for increasingly damaging malware. The attackers targeting Ukrainian power companies used a module of BlackEnergy, known as KillDisk, to delete data and crash infected systems.
While such a destructive tactic is not new—attacks against oil and gas firms Saudi Aramco and RasGas, as well as South Korean banks and Sony Pictures, employed wiper capabilities—the use of the functionality against a critical infrastructure provider marks an escalation, said Trend Micro’s Cabrera.
“This is definitely a milestone, unfortunately, in the use of destructive malware in an attack on critical infrastructure,” he said. “It highlights a concern that everyone in critical infrastructure should have around what we are doing to protect ourselves.”
3. Telephone DDoS attacks hinder response
The use of telephone-based denial-of-service attacks against call centers is another trend that will likely become a standard tactic in the future. The technique, often used against victims of financial-account takeovers, can delay the detection of an attack, said the SANS Institute’s Lee.
“The interesting thing about the attack on the call center is that, as an operator of an electric grid, there are two ways to know the power is out,” he said. “Your SCADA [supervisory control and data acquisition] system is telling you so, or the customers are calling in. Since they did not have access to SCADA systems, they had to rely on customers, but the attackers interfered with that.”
While previous international attacks have largely gone unpunished, that needs to come to an end, Lee added.
“We cannot allow the targeting of civilian infrastructure for any reason,” he said. “It should be completely out of bounds, and something has to be done about it.”