Industroyer: The Resurgence of Industrial Controls Malware
Making Ukraine a hacker’s playground.
On June 12, 2017, analysts from Slovakian IT security company ESET published a report on the ‘Industroyer’ malware. In December of 2016, this strain was able to cut off one fifth of Kiev’s power, holding the capital of Ukraine in darkness for an hour. Despite its four different payloads, focusing on the IEC 101, IEC 104, IEC 61850, and OLE for Process Control Data Access (OPC DA) standards, the most hazardous threat may lie in the configurability of the malware. Similar to how the IEC protocols are majorly used in Europe, Asia, and portions of the Middle East, the United States and other sections of North America primarily use the Distributed Network Protocol 3.0 (DNP3) standard. With its current configuration, Industroyer is set up to easily accept additional payloads, meaning that this malicious program could be used to attack North American power grid facilities with some customization.
Experts are speculating that the attack on Kiev this past December, in combination with the attack in December of 2015 – which also resulted in a temporary power outage – seem to be indicating a type of demonstration, or “test run.” The Industroyer malware revealed a number of features upon analysis that were not utilized in the attack on Kiev in 2016, such as a utility coded into the ‘launch’ module that managed when the malware could operate based on time of day. This would enable the attackers to configure the virus to only operate, for example, outside of normal business hours – making detection based on network traffic logs incredibly more difficult. However, all of the captured strains were operating twenty-four hours a day, disregarding this time management functionality.
The extensive customizability of the malware is also uncharacteristic. Some individuals say that it’s better described as a malware framework than simply as malware, referencing the vast capability built into this industry controls malware. The toolkit includes Denial of Service (DoS) capability, two backdoors which are used to maintain persistence, and a wiper component to destroy critical files on primary systems. Industroyer also contains its own port scanner, which was written from scratch, rather than utilizing already-existent software.
Blaster from the past.
Industroyer isn’t the first of its kind, however. Stuxnet, a worm identified in 2010, targeted programmable logic controllers (PLCs) within nuclear power plants in Iran. It specifically was designed to seek out only PLCs with variable-frequency drives from specific vendors in Finland and Iran, and is now unofficially acknowledged as a jointly developed American-Israeli cyberweapon. Other worms, such as BlackEnergy, have been targeting industrial control systems with the intent of chaos intermittently, but these lesser worms are easily eclipsed by the sophistication present in both Stuxnet and Industroyer.
However, specifically targeted malware isn’t the only type of threat to industrial control systems. Blaster, a worm that takes advantage of a buffer overflow error in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service, is tentatively linked to the Northeast blackout of 2003. This worm, which wasn’t programmed to target industrial control systems, did not explicitly cause the blackout, but the collateral damage caused by the malware contributed to the difficulty in utilizing secondary systems that may have assisted in restoring power more quickly otherwise.
Watered down security measures.
Power grid facilities and electric companies aren’t the only entities at risk. Hydropower, natural gas, and water companies, along with all other establishments that utilize industrial control systems, may be targeted by malicious software. The underlying principles behind the systems being used by these companies are all very similar, despite the difference in product. The question that arises, when faced with a malware framework that could potentially be customized to target North American industrial controls facilities, is whether or not there are other security measures in place for these companies that might be able to stop an attacker from mirroring the blackout in Kiev. Currently, the electric grid is comprised of a network of systems that were designed decades ago, without the priority of security in mind. ESET remarks that “any intrusion into an industrial network with systems using these protocols should be considered as ‘game over,’” referring to the IEC and OPC DA protocols taken advantage of in the payloads of Industroyer. Again, however, these protocols aren’t the only vulnerable standards. Any protocol could be used to write a payload, potentially – and therefore, any system is potentially vulnerable.
Additionally, compliance standards for companies utilizing industrial control systems appear nebulous. FERC, the Federal Energy Regulatory Commission, was granted authority in 2005 to enforce mandatory standards on the critical infrastructure of bulk energy systems. However, a “bulk energy system,” or BES, does not include facilities used in the local distribution of electric energy. There is also some concern that the definition of “critical infrastructure” leaves room for necessary systems to potentially be overlooked from a compliance standpoint, leaving weaknesses and entry points into power companies. Enter the Smart Grid. Following in the footsteps of other Internet of Things (IoT) devices, the Smart Grid introduces two-way communication to commonly utilized systems. However, unlike a significant number of IoT devices, the new Smart Grid systems take steps to prioritize security and guard against current vulnerabilities. But the replacement of all existing outdated systems with Smart Grid systems will take some time to implement.
Why does this matter to enterprises?
For a corporation, a blackout of a few days could mean a burdensome amount of lost revenue. Not only do blackouts affect revenue during the time of loss of energy, but studies have shown that the market continues to decline for weeks afterwards, due to costs for repairs and maintenance. Experts are predicting that the power outage in Kiev was the beginning of additional grid breaches. What can be done about this? Enterprises should inquire whether or not their power supply companies are covered entities under FERC CIP (Critical Infrastructure Protection) regulations, and include incident response protocols for blackouts in their policy documentation. A commercial standby generator, which would keep the power on and your business open during an outage, may also be a beneficial investment.
For any further questions about industrial controls systems malware or compliance standards, please inquire with [email protected].