In the spring of 2015, employees of Ukrainian utilities received emails with malicious Word document attachments. The unsuspecting workers clicked on the files, which opened and requested them to enable associated macros. Those who agreed unintentionally infected their computers with a virus program, appropriately called BlackEnergy3 (BE3), opening the doorway for hackers to make their way into the IT networks of three electricity distribution companies.
Today, most hackers exploit coding errors or other software weaknesses. In this instance the adversaries utilized a known and intentional aspect of Microsoft Word. At this point in their progress, the intruders were still confined to the IT networks. They could not yet access the operational technology (OT) environment including the supervisory control and data acquisition (SCADA) controls systems that run the grid. These had been partitioned off, as is the case with many utilities.
To reach into the SCADA systems, the adversaries conducted a patient and extensive six-month reconnaissance exercise in, moving into what is referred to in the industry as “Advanced Persistent Threat” (APT) mode. During the APT phase, they were able to extensively map the utility networks and gain access to the Windows Domain Controllers, where the user accounts were stored and managed. This permitted access to worker IDs and passwords, which in turn provided them a way in to VPNs used by utility employees to remotely access the SCADA networks.
Once inside the heart of the utilities’ controls systems, they patiently established the battle plan for the three coordinated cyber assaults that all took place within the same half hour two days before Christmas of 2015. In the late afternoon, control room operators witnessed their cursors ghosting across their computer screens, clicking on the links that would open breakers and interrupt flows of electricity to critical substations that would take down the grid. Operators were remotely locked out and unable to take any action, as passwords had been changed. In addition, the hackers took out back-up power supplies to two of the operating centers, literally leaving the operators in the dark.
In total, the assailants disconnected dozens of substations and cut power to over 225,000 customers for one to six hours until supplies could be restored through manual overrides. An analysis of the attack by the SANS Institute, commented that the attackers proved they could not only successfully target filed devices in utility infrastructure, but also “write customer malicious firmware, and render the devices, such as serial-to-ethernet convertors, inoperable and unrecoverable."
How Could this Entire Chain of Events Have Been Avoided?
Fortunately, there are ways for utilities to limit the possibility of such an event occurring. In the Ukrainian case, the utilities prioritized convenience over security, beginning with a lax culture of cyber hygiene. Staff should have been trained to detect spear phishing, and passwords should have been periodically changed.
The successful spear phishing exercises allowed hackers to access their systems relatively easily and insert the BE3 program into the target environments through Microsoft Office. BE3 then performed its task of contacting the SCADA command and control (C2) network – which implies that it contacted an external IP address. This should have been disallowed, or – at a minimum – alerts should have been created. Systems should have been more closely monitored for abnormal communications, and the utilities should have deployed application-aware firewalls.
The Dispersive Virtual Network (DVN) solution would have stopped the kill chain (the multiple steps undertaken by attackers, from reconnaissance to the ultimate action taken) in three separate ways:
- It would have first prevented BE3 from calling out to establish a C2 session with the adversaries.
- DVN would also have ensured that remote connectivity was secure – so that devices and users were both authorized before they were able to gain access to the system. Thus, theft of credentials alone would not have allowed the adversary to gain access to a DVN system.
- DVN micro-segments the network, so that attackers cannot easily discover various critical assets in the connected network. If computers and embedded devices had been running the DVN they would only talk to authorized machines (which should be properly segmented in the network).
You can learn more about the specifics of Dispersive’s technology here.
In a recent blog, we noted that a KPMG survey of utility CEOs, 48% "showed concern that becoming a victim of a cyber-attack is a matter of 'when' and not 'if.'" The awareness is clearly there. The challenge is to ensure that utilities adopt the right combinations of cultures and tools, so that they can best ensure they don’t become the next Ukraine.