Critical Read

Report: Cyberthreat can target electric grids around the world

 

What: "CRASHOVERRIDE: Analyzing the Threat to Electric Grid Operations," a new report by Dragos Inc.

Why: Cyberattacks to power and electric systems are one of the nightmare scenarios that keep cybersecurity and IT professionals as well as policymakers up at night. One such attack platform, the malware framework behind the December 2016 cyberattack on a Ukrainian substation, could be adapted to shut down systems all over the world, according to a report from Dragos Inc.

Slovakian firm ESET notified Dragos on June 8, 2017, of malware designed to target industrial control systems, which Dragos was able to confirm was deployed in the attack on the Kiev substation that left nearly a quarter-of-a-million people without power for six hours.

Dragos further determined that the malware was not designed specifically for that attack, but is in fact an adaptable framework that "leverages knowledge of grid operations and network communications." Therefore, it can be adapted to different protocols, systems and vendors and could target multiple sites at once, the report says.

Although Dragos states outages would not be catastrophic, they could still last for days as the malware, dubbed CRASHOVERRIDE, can override and wipe ICS files.

Dragos, while not making any direct attribution to any nation state, says that an adversary group behind CRASHOVERRIDE has "direct ties" to a team identified as a Russian hacking group.

Dragos believes that CRASHOVERRIDE is an evolution of previous malware frameworks that were designed to infiltrate and study various industrial control systems. It points to the Dragonfly and BLACKENERGY 2 campaigns that adversaries used to conduct ICS espionage.

The 2016 cyberattack in Ukraine could have been much worse, says Dragos, and the attack appears to have been a "proof of concept" of the malware.

The Dragos report goes into deep technical detail about the various modules of CRASHOVVERIDE, how they interact and how they can be identified.

In addition to outlining the malware components, Dragos offers recommendations to reduce the attack surface and increase resiliency of power systems. It recommends maintaining offline backups of configuration and engineering files, preparing incident response plans, conducting tabletop exercises with all relevant stakeholders and increasing monitoring of the protocols exploited by CRASHOVERRIDE.

Verbatim: "It marks an advancement in capability by adversaries who intend to disrupt operations and poses a challenge for defenders who look to patching systems as a primary defense, using anti-malware tools to spot specific samples, and relying upon a strong perimeter or air-gapped network as a silver-bullet solution. Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt."

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.


The Fed 100

Read the profiles of all this year's winners.

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group