Sydney, Australia — Ixia, a leading provider of network testing, visibility and security solutions, offers organisations advice on preventing Industrial Control Systems (ICS) attacks in light of the recent report from Dragos on the CrashOverride malware.This malware took down 30 substations in the Ukraine’s power grid late last year, and left 230,000 residents in the Ukraine without power.
The report from Dragos on CrashOverride was detailed and specific. The possibility of this malware strain permeating critical infrastructure around the world is evidence that plants and power systems continue to be under targeted attacks. In fact, early last year, hackers breached the a water utility company that is referred to as the “Kemuri Water Company”. They took control of hundreds of programmable logic controllers (PLCs) that manage the flow of toxic chemicals used for water treatment, which could have had dire consequences.
“The work required to create malware targeting specific ICS systems indicates nation-state sponsorship. One does not simply go out and build a ‘mirror lab’ of an electrical grid in their basement,” said Chuck McAuley, Principal Security Research Engineer at Ixia. “Human intelligence backed with strong technical knowledge is needed to create this type of software. Countries, and their private partners involved in infrastructure, need to be proactive about their security measures. In a region such as Europe, where the interconnected electrical grid crosses the borders of many countries, operators need to be ready for cyber attacks at all times.”
Attacks are rapidly evolving and, with nation-state support, will continue doing so. CrashOverride took advantage of four communication protocols used in ICS systems across Europe, Asia, and the Middle East, which highlights potential ICS system design flaws.
McAuley continued, “This attack illustrates that flipping breakers on and off repeatedly should trigger warnings from both remote terminal units and networking equipment. Rate limiting, inline mitigation, and machine learning defenses are quite mature and can easily be adapted to help provide protection in the ICS space. If a hacker’s intent is simply to cause disruption, they do not need to use tradecraft of the nth degree. In this particular case, the malware leveraged no zero day at all, choosing instead to leverage design flaws in the ICS network. Your adversary will only expose and use as much of their arsenal as they need to obtain their objective.”
According to Ixia, there a few simple steps organisations can follow to better prepare for these types of attacks:
If organisations are incapable of maintaining their ICS networks with up to date countermeasures, they need to be disconnected from the Internet. In fact, organisations should attempt to remove any direct reliance on IP communications. Air gapping the network can help, but it does not always stop malware from entering a network.
Sharing is Caring
A culture of information sharing between the public and private sector should be encouraged. One of the most difficult aspects of cybersecurity is establishing and maintaining trust with peers across industries. Hackers already have the latter part down, and organisations should, too. The enemy relies on slow communications, legal tie-ups, and other bureaucratic clutter.
Get the Whole Picture
As in most cases, but especially the one outlined in the Dragos report, visibility is key to thwarting industrial attacks. Network visibility should be a cornerstone of any security posture. Moreover, rate limiting functions and alerting functions should be used with a strong visibility platform to notify operators when anomalies occur.
Preparation is Key
More than having the right relationship dynamics or tools, organisations cannot be frozen when attacks do occur. They should prepare by testing both their network equipment and people. While testing equipment is relatively straightforward, you need to test your people under real-world conditions using tabletop and cyber range exercises. This enables staff to learn how to perform and think outside the box like a hacker.
McAuley concluded, “The more you can see, the quicker and easier you can react. If the CrashOverride victims had tapped their ICS network, they would have immediately noticed a change in traffic patterns: the scanning for OPC-based services and the IEC 104 commands that repeatedly closed and opened breakers. Network monitoring equipment would be able see and alert on these transactions in realtime.”
Ixia, now part of Keysight Technologies, provides testing, visibility, and security solutions to strengthen networks and cloud environments for enterprises, service providers, and network equipment manufacturers. Ixia offers companies trusted environments in which to develop, deploy, and operate. Customers worldwide rely on Ixia to verify their designs, optimize their performance, and ensure protection of their networks and cloud environments. Learn more at www.ixiacom.com.
About Keysight Technologies
Keysight Technologies is a leading technology company that helps its engineering, enterprise and service provider customers optimize networks and bring electronic products to market faster and at a lower cost. Keysight’s solutions go where the electronic signal goes, from design simulation, to prototype validation, to manufacturing test, to optimisation in networks and cloud environments. Customers span the worldwide communications ecosystem, aerospace and defense, automotive, energy, semiconductor and general electronics end markets. Keysight generated revenues of $2.9B in fiscal year 2016. In April 2017, Keysight acquired Ixia, a leader in network test, visibility, and security. More information is available at www.keysight.com.