Malware Targets the Electric Grid

Sophisticated malware that has proven its ability to interfere with power systems could be coming to an electric grid near you.

If there was a ray of sunshine in the recent research concluding that some 3,000 industrial sites per year get infected with malware in their Industrial Control Systems (ICS), it was the observation that much of this malware came from common families, and thus might be susceptible to remediation. That ray may now be somewhat obscured.

According to separate reports from Slovakian and American security researchers, a specific breed of malware that is purpose-built to disrupt electric grids is responsible for the widely publicized December 2016 power outages in the Ukraine. Moreover, because this strain of malware targets industrial hardware and communications protocols that are de facto standards in transmitting and distributing electricity, it has the potential to wreak havoc across multiple geographies.

New Thrusts at a Familiar Target

The report from U.S.-based Dragos, Inc. details key aspects of the newly identified malware – known as CrashOverride or Industroyer – that distinguish it in crucial ways from other malware affecting ICS systems. These include:

  • The new malware targets only electric-grid operations, and not other infrastructure systems (such as energy production, water/wastewater, oil and gas pipelines, or transportation).
  • It leverages knowledge of grid operations, including physical processes and the communications protocols that are most commonly used, to create its impact.
  • It communicates directly with the industrial hardware that manages the grid.
  • Its modules open circuit breakers on RTUs (remote terminal units) and force them into an infinite loop, keeping the circuit breakers open even if grid operators attempt to shut them. This has the effect of de-energizing electrical substations.
  • The malware is vendor-independent and configuration-independent. Since grid operations systems in many parts of the world are very similar, it can be repurposed for use in many environments.

The report stresses that at present, the potential harm from this malware seems to be limited to electric grids; to attacks on one or a few locations at a time; and to outages that persist for hours, or at most a few days. However, there are compelling reasons for security analysts – whether their expertise is in IT, OT, or both – to be concerned about the trend lines that extend from the new malware.

Keeping Pace with the Threat

First, the adversary group behind this malware, known as Electrum, has direct ties to the Sandworm team, which targeted U.S. and European infrastructure companies in October 2014 and was responsible for an earlier attack on Ukraine’s electric utilities in December 2015.

Second, as the Dragos report suggests, malware with these capabilities “poses a challenge for defenders who look to patching systems as a primary defense, using anti-malware tools to spot specific samples, and relying upon a strong perimeter or air-gapped network as a silver-bullet solution.”

How should security professionals respond to this kind of threat? The Dragos researchers recommend re-framing how you approach security in the context of ICS, including focusing on the communications protocols within ICS systems (watching for increased usage and/or systems using the protocols for the first time); maintaining robust, offline backups of essential engineering files; and being aware that ICS malware can do harm while using hardware and communications in the manner they were designed to be used.

Another important step is to recognize that the components of networked ICS systems also function, in effect, as endpoints on their networks. If one can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, the cyber-risk within ICS and SCADA environments can be meaningfully reduced.

The Endpoint Modeling Advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each of your networked resources. It automatically discovers the role and behavior of each of your IT assets, and then tracks that behavior continuously. If one of these assets begins to act abnormally, or in a way that is unexpected, endpoint modeling generates a real-time alert. Your security analysts can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it. 

Experience endpoint modeling on your own network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s endpoint modeling service, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial