Different shades of light: When hackers turn off the power

bei

 / 29. October. 2017

Hacker attacks against critical infrastructures such as the electricity grid become more frequent – and more dangerous, too. Cyberattacks are able to damage severely generators and transformers. Electricity companies and public utilities are obligated to take precautions.

o power, no fun. Ukrainian inhabitants already had to make this unpleasant experience twice: On December 23rd 2015 and one year later on December 17th 2016. In both cases, however, technical problems were not the reason why hundreds of thousands of people were sitting in the dark and heating systems as well as TV and the telecommunications network had broken down. In fact, hackers had gained access to the computers of energy supply companies and in this way shut down SCADA systems (Supervisory Control and Data Acquisition).

More than 220.000 Ukrainian citizens were affected by the attack in 2015. In this case, attackers were able to hijack the workstations of the operating staff and remove 27 substations of three energy supply companies from the mains supply. Whereas the attack from December 2016 was aimed at the capital Kiev and an electricity supplier based there. The hackers gained access to the remote terminals used by the operating staff to control the circuit breakers. By deactivating the terminals the attackers caused a blackout that lasted one hour.

Professionals at work

IT experts assume that in both cases it was the work of professionals rather than occasional hackers. It took months of preparation to find the security breaches in the IT and SCADA systems as well as the network infrastructure of the electricity suppliers. The signs point to professional hackers who even were able to resort to the help of secret services and government agencies.

Attack surface becomes bigger

Such or similar attacks against power supply institutions and other critical infrastructures as water supply, important industrial companies, hospitals, finance sector, telecommunication networks and public transport systems occurred repeatedly within the last years. Among other things, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) cites in its report about “The State of IT Security in Germany 2016“ the example of a nuclear power plant. Over the course of preparations for inspection work, malware was found on a computer used for presenting and highlighting steps on the fuel rod loading machine (visualizing computer). Presumably, the malware was distributed via an infected flash drive. Though no damage was caused to the NPP, the operator had to spend a lot of time and money on the analysis of the incident and also had to clean the affected systems and storage media.

Customized tools for attacks against energy suppliers

But the activities of cybercriminals don’t just aim at the IT infrastructure within the offices of electricity supply companies. Only a few months ago, security experts of the European Security Software vendor ESET caught a Trojan, which particularly targeted industrial plants and systems of an energy supplier. The malware named “Industroyer” (combination of “Industry” and “Destroyer”) enables cybercriminals to attack industrial control software (SCADA) of substations.

The potential impact is significant, ranging from turning off power distribution to physical damage of components. For example, the malware is capable to control electricity substation switches and circuit breakers. It uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems and other critical infrastructure systems.

The switches and circuit breakers are digital equivalents of analogue switches. A disruption of such systems and components may have far-reaching consequences and range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may vary from one substation to another, as well.

Old protocols meet young hackers

A problem is that the protocols used by Industroyer were designed decades ago, when industrial systems were meant to be isolated from the outside world. Back then, concepts such as Industry 4.0 and Smart Metering, where machines, electricity meters and controls communicate via the Internet, only existed within the minds of scientists at best. The cybercriminals didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware “to speak” those protocols. Attackers could easily adapt the malware to any environment, which makes it extremely dangerous.
It is unlikely that such a malware can be written and tested without access to the control or SCADA components used in a power plant or factory. Thus, the authors of Industroyer must have special knowledge of the industrial control systems. Regarding the attack against the Ukraine at the end of 2016, ESET experts assume that the network of the energy supplier Ukrenergo was infiltrated. For months, the hackers gathered data about the company’s plant. Industroyer transmitted these information via the TOR network to the cybercriminals. TOR is a special network where users can move around the Internet anonymously.

According to ESET, the ability to maintain unnoticed in a system for weeks and months and to disrupt the operation of industrial hardware directly makes Industroyer the most dangerous threat for industrial infrastructure since the infamous computer worm Stuxnet, which occurred in 2007. It manipulated the control systems of centrifuges used in the uranium enrichment process in Iran. Unlike Stuxnet, Industroyer is more flexible and can be adapted to different critical infrastructures such as control systems used in power plants.

Basic security measures are not enough

A huge challenge in the digital age is the fact that the possibilities to protect control systems and computers in critical infrastructure are very limited. Many of those components have too little processing power and memory or outdated operating systems to implement a security software. Therefore, it is necessary to better prevent attacks against the networks.

First of all, it is important to protect the office network and integrated servers, computers, notebooks and smartphones against attacks. These systems need to be provided with a comprehensive endpoint solution that goes beyond classic antivirus as well as regular updates of operating systems and applications. The virtualization computer of the German nuclear power plant that was mentioned by the BSI ran on an outdated operating system version. Just because of this an infection with an equally outdated malware was even possible.

Therefore, it is crucial to increase the awareness for potential threats among the staff. For example, hackers often use phishing mails with manipulated attachments as entry point. By opening such a message users infect their computer. So, besides an effective security software, a healthy dose of suspicion is important, when odd emails from colleagues land in the mailbox.

Common security concepts necessary

The biggest challenge, though, lies in the differences of individual critical infrastructures: Previously available IT security solutions often don’t meet the needs of the operators. A special security solution for energy suppliers doesn’t exist yet. The BSI and UP KRITIS are currently working on it – a public-private cooperation between operators of critical infrastructures, their associations and the relevant governmental agencies.
In industry and subject work groups the operators, authorities and associations are working on common security concepts. The first security standard for the water sector was certified by the BSI in August 2017. Further standards, for example in the area “water”, will follow.

The author: Michael Klatte works as PR Manager and IT Journalist for ESET Deutschland GmbH since 2008. He is responsible for Communication, Social Media and Content Management in Germany, Austria and Switzerland. Before he started working for ESET, Michael Klatte was a freelance IT Journalist as well as PR Manager/spokesman for different IT companies and AV software producers.