On 23 December 2015 225,000 homes in the Ukraine were left without power following what is thought to be the first successful cyber attack on an electricity distribution network. A report issued on 25 February 2016 by the US Department of Homeland Security (“DHS”) has examined what happened. Its findings are likely to cause concerns for the Boards and risk managers for businesses that rely upon industrial control systems (“ICS”) as well as their insurers (“DHS”). ICS are at the heart of a huge range of industrial processes and if they are vulnerable to a cyber attack, the consequences could be devastating.
The alert issued by the DHS follows an investigation by the US National Cyber Security and Communications Integration Centre/Industrial Control System Cyber Emergency Response Team, the US Department of Energy, the FBI and the North American Electric Reliability Corporation in conjunction with the Ukrainian government.
The conclusion reached by the team was that outages experienced in Ukraine on 23 December 2015 were caused by external cyber attackers. The alert indicates that the team concluded that the outages were caused by remote cyber intrusions at three regional electric power distribution companies. In addition to this, three other organisations (some from other critical infrastructure sectors) were also attacked. The attacks were synchronised and co-ordinated, occurred within 30 minutes of each other and impacted multiple facilities. The team concluded that they probably followed extensive reconnaissance of the victim networks. . A number of individuals were involved in conducting the malicious remote operation of systems using either existing remote administration tools (at the operating system level) or remote ICS client software through virtual private network connections. The victim companies believe that the attackers acquired legitimate credentials before the cyber attack, which enabled them to obtain remote access to their systems.
It was concluded that the attackers wiped some systems using malware at the conclusion of the attack which resulted in the erasure of files on target systems. They reportedly jammed company phone lines and set up disconnections for server uninterruptable power supplies (“UPS”) via the UPS remote management interface in an effort to interfere with anticipated efforts to restore the systems. Again, this shows a sophisticated level of planning.
Each of the victim companies reported that they had been infected with “Black Energy” malware (although it was not known whether this played a role in the cyber attack). The malware was reportedly delivered through spear phishing emails which contained malicious Microsoft Office attachments. The investigating team suspect that the Black Energy malware may have been used as a way of obtaining access to acquire legitimate credentials.
How can businesses protect themselves?
The DHS recommend that organisations should develop and exercise contingency plans to allow for the safe operation or shutdown of operational processes in the event that their ICS are breached. These plans should include the assumption that the ICS are actively working against the safe operation of the process.
The DHS recommends the use of Application Whitelisting which can detect and prevent the attempted execution of malware uploaded by malicious parties. They recommend that organisations should isolate ICS networks from any untrusted networks, especially the internet. They recommend that all unused ports should be locked down and all unused services turned off. Where a defined business requirement or control function exist only real time connectivity should be allowed to external networks.
The DHS also recommends that organisations should limit remote access functionality wherever possible. Modems are especially insecure. Remote access should be operator controlled, time limited and procedurally similar to “lock out, tag out”. Strong multifactor authentication should be used if possible.
The DHS observes that modern networks, especially those in the control systems arena, often have inherent capabilities that are utilised without sufficient security analysis. This can provide access to attackers once they are discovered. Such “back doors” can be accidentally created in a multitude of places on a network. Modern IT architecture often has technology to provide for a robust remote access. This can include firewalls, public facing services and wireless access. Each technology allows enhanced communication in and amongst affiliated networks and in many cases will be a subsystem of a larger more complex information infrastructure. The DHS notes that each of these components can (and often do) have associated security vulnerabilities that an adversary would try to detect and leverage. Interconnected networks are particularly attractive to a malicious actor because a single point of compromise may provide extended access to a wider network.
Industrial Control Systems are plainly vulnerable to attack. The risk is greatest for those businesses with extended (and connected) networks. However, there are a number of steps that businesses can take to reduce the risks they face (both in terms of the risk of a breach and the consequences of a breach). Boards, risk managers and insurers need to work together to address these issues.