A week before Christmas 2016, Ukraine suffered a complete failure of essential electrical grid operations due to a sophisticated intrusion of its operational technologies (OT). The attack plunged one-fifth of the country’s capital, Kiev, into darkness for several hours.

The multiple attacks over the past two years on Ukraine’s power grid should serve as the proverbial canary in the coal mine for executives and investors of pipelines and power utilities, no matter the country. For decades, canaries warned miners of leaks of noxious gases and the potential for explosions in the mines before they occurred.

The intent of the hacks on Ukrainian OT, the sophistication of the attack and the modular structure of the computer virus that infected the power grid’s operations should provide boards of directors the sense of urgency they need to place cybersecurity at the top of their agendas.

Though attacks on grids in the U.S. and other developed countries are imminent, intrusion is not. Facilities can and should take solid steps to ward off what certain nation states and criminal organizations may consider the ultimate prize: crippling the power arteries of a country.

Soft targets

The Christmas 2016 hack was not the first time the Ukrainian power grid had been attacked, however. About a year before, hackers had successfully crippled Ukrenergo, Ukraine’s government operated electricity utility. A group of cybercriminals introduced a virus into the network of the utility to map and learn the operations.

The 2015 attack was the first cyberattack in the world specifically aimed at denying electrical service to a location. The attack wiped data completely from computers running the Windows operating system. The terrorists also remotely disconnected substations from the grid, which left more than 225,000 customers without power for upward of six hours.

The ransomware attack locked up computers that maintained critical infrastructure. The malware demanded computer users pay a ransom to unlock computers. The malware even forced operators of the Chernobyl power plant to move radiation-sensing systems to manual operation. (Ukraine administers the defunct plant.)

Before managers in the West should begin to believe it’s merely Ukraine’s bad luck to have its critical infrastructure targeted, they should know that in 2014, the Dragonfly cyberattack campaign targeted numerous industrial control system locations in more than 2,000 sites worldwide.

The intent of the attack was espionage of petrochemical and electric power facilities. The virus infected critical infrastructure in the U.S., Spain, France, Italy, Germany, Turkey, and Poland. Dragonfly mapped out the computer networks of the utilities—ostensibly for future attacks.

Ready for prime time

The attacks on power grids highlight an important characteristic of the hackers: they know their way around.

The most dramatic evidence for the sophistication of the cybercriminals comes from the 2016 Ukraine attack, which crippled electricity distribution for the nation’s capital. Cybersecurity firms dubbed the malware “Industroyer.” The media, though, picked up on the moniker “CRASHOVERRIDE,” which refers to the malware “Crash” framework upon which the attack was based.

The hackers infiltrated the corporate computer network with the same malware kit that had been used in the Dragonfly exploit, called Havex.

Havex used the industry-standard Object Linking and Embedding for Process Control protocol to map the utility’s network environment and choose its targets. The protocol is based on facilitating interoperability between Windows applications and industrial equipment.

Havex then zeroed in on the libraries and configuration files of Human-Machine Interfaces (HMIs), and used the HMIs to find equipment connected to the Internet.

The most worrisome aspect of the payload the malware dropped, however, was its modularity. The cybersecurity firm Dragos reverse-engineered the virus to reveal four modules.

  • One to find a way into a network and keep the “backdoor” open;
  • One to drop malicious “payloads” into the network;
  • One to wipe data from storage media; and
  • Another module that can be interchanged to wreak different kinds of attack.

Destructive payload

The fourth module is the most problematic. It is built to be localized for use in other regions of the world outside Ukraine. Dragos reports: “CRASHOVERRIDE is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact; in that way, it can be immediately repurposed in Europe and portions of the Middle East and Asia.”

And while the module was programmed to exploit European protocols, Dragos reports, “CRASHOVERRIDE is extensible and, with a small amount of tailoring such as the inclusion of a DNP3 protocol stack, would also be effective in the North American grid.”

Once localized for use, hackers can viably interchange the fourth module with another software component to pursue any combination of attack vectors:

  • De-energizing a substation by locking an operator out of controls and remotely toggling the status of a breaker between open and close continuously;
  • “Islanding” a substation by initiating a similar breaker toggling event that invokes automated operations that isolate the substation from other substations;
  • Misrepresenting the status of operations on consoles that confuse operators, as in the instance that displays show breakers open when they are actually closed; and
  • Creating a cascading islanding effect on a grid by disabling the protective relays of substations.

Mind the gap

Critical infrastructure facilities around the world have historically relied on “air-gapping” their operations to reduce the risk of infection or equipment malfunction jumping from one operational compartment to another. Now, companies are at pains to interconnect their most up-to-date systems (usually to the Internet) and to integrate the latest equipment with legacy devices that may be decades old.

In light of a more interconnected world, operators must appoint a cross-functional task force to map operational connectivity to develop defenses against sophisticated cyberattacks. The team must take pains to detail the spaghetti of network connections, endpoints and HMIs that support SCADA. Then, they must elucidate any interfaces between OT and corporate IT.

Once the task force has completed the map, it needs to point out the vulnerabilities—both human and technological—to the network, and then prioritize the operational risks.

The team can then use the vulnerabilities to work up scenarios in which cybercriminals can exploit the soft spots in the operation. The scenarios provide contexts for cybersecurity specialists to fortify technological solutions.

Cybersecurity software that records baseline data about the performance of the networks and the applications on them has an important role to play in network defenses. OT staff will receive alerts when malware attempts to disrupt the processing flow of any of the software on the network.

Management can also use the cases to train staff on behaviors that will thwart attacks. For instance, training offerings may include how to notice and report email phishing expeditions in which hackers attempt to infiltrate networks when users click on “baited” links in an email that download malicious payloads or lead to websites infected with viruses.

And while operators in most critical infrastructure operations globally are constantly drilled on how to manage conventional issues that may beset a system, very few are trained on how to spot, report and rectify a cybersecurity breach.

It is possible for executives to feel they have realistically reduced the risk for successful subversion of their operations. They can avoid becoming the next canary by heeding the lessons of other countries already under siege by well-organized cybercriminals.

Paul Myer is CEO of Veracity Industrial Networks.