Security measures need to measure up to sophisticated attacks

Security needs to be improved in order to combat attackers getting more and more dangerous and skilled each day, demonstrated by the attack on Ukraine in December 2016.

08/03/2017


Industrial control system (ICS) and supervisory control and data acquisition (SCADA) users across the board need to understand they need to create a holistic security program to protect against targeted attacks like this past December's Ukraine utility assault.

"The attacker had been developing its capabilities for at least a year, maybe two, and they discharged this tool and they will not use it anymore," said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the December Ukraine utility attack. "It means they have developed much better capabilities, much higher and advanced. This what is scary because we don't know what to prepare for."

The attack in the Ukraine this past December was much deeper than just the grid. It was a systemic attack hitting key governmental and infrastructure points across the country. The attack ended up being very similar to the attack that struck the Ukrainian power grid in December 2015. But unlike the 2015 cyberattack that cut out 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the electrical transmission-level substation Pivnichna, a remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.

An interesting feature of the attack was leaving the tools behind, Krotofil said. "The code was compiled specifically for this attack and dropped two days before. Since it was a long and prolonged attack, they could have taken the controls back, but they left them. If they left them it is because they wanted them to be found. If a cyber weapon is found the attacker just dumps it into the garbage. That means they deliberately dumped them into the garbage, and they didn't even use all the tools in the attack. They deliberately dumped more tools than they needed, or used. What that tells us the attacker doesn't need those tools anymore. If he doesn't need them it means he has much better tools.

"Secondly, he wanted the tools to be found. It means he is showcasing his capabilities. It can also be seen as an invitation. OK, guys, we know that everyone is hacking the ICS silently and trying to remove the tools, but let's raise the bar again and let's open up and let's see where this level of (protection against these) tools should now be the new normal."

New families of malware

In addition, the attacker left behind the code so other bad guys will take the code and new families will be inspired to create an offshoot of the malware. Another interesting aspect to the whole attack was the hackers had plenty of time to figure out how to get the job done.

"The attacker invested a lot of time to develop the position where they could speak to the device and send it into the off position, causing a shutdown," Krotofil said. "They found the state command and then said 'I can reverse it and then I can send it back and the device goes into shutdown.' For that, they not only need to understand the protocol but they need to understand the language of the piece of equipment, which language and which command does the equipment speak, which commands are possible? That all takes time. They understood the equipment. They understood the protocol. Those are all developed and tested capabilities. At all those tools were developed a year or two ago. That means the attacker was working a long time in advance."

At the time of the attack on the utility, Krotofil said there was a bigger attack going on throughout the country. This attack against the Ukraine utility was part of a joint effort of attacks against multiple organizations within the country.

Same, but different

"The infiltration into the organization and the enumeration of networks and backdooring were all similar, but how they achieved the malicious goal inside the organization were all different," she said.

How they approached an attack into the rail organization was different. The same with the Ministry of Finance. "For every organization they wrote different tools," Krotofil said. "In each organization, there was specific malware written for each organization."

This means there were specific scripts written to do a specific task within each organization under attack.

"The attacker already had very well-established connectivity to the SCADA server, and the attacker dropped the script two days before the attack. It was compiled two days before the attack and dropped two days before the attack. It was not malware which was exploited in a Zero Day. It was a set of tools written for the specific attack."

The attacker had already established a backdoor that was communicating with the command and control center, and the utility did not monitor the communication, she said.

"We see super sophisticated, super smart malware every day. Every day it is super stealth, never seen before, difficult to reverse engineer; attackers' capabilities are getting better and better day by day," Krotofil said. "We tend to look at what we found and say this is the state of art in offense, but it is not. By the time we see it, it is already old. They already have something new. This is where we have to realize we have to prepare for much higher level. We see some malware and see it is state of the art and we will think it is so far advanced and it will not happen to me so I will not address it. We can't think like that. We should think like they discharged it and we should think about what capabilities they have and what we will see tomorrow."

Gregory Hale is founder of ISSSource. This article originally appeared on ISSSource's blog. ISSSource is a CFE Media content partner. Edited by Carly Marchal, content specialist, CFE Media, cmarchal@cfemedia.com.

See more articles from ISSSource below. 



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me