Slashdot Mirror
Researchers Reveal Malware Designed To 'Power Down' Electric Grid (securityledger.com)
chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."
I live in southern California and there are two major electric lines, one from the east and the other from the north. Damage to either would be likely and due to their remote location, there would be a six or eight hour drive from the nearest place that might have any repair ability. There's no power to pump fuel from underground tanks so how can any agency respond. Add an earthquake to the scene....
From a technical point of view, only because it was more convenient and less costly.
But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).
Except for Ukraine -- a country with a big powerful enemy it's currently at war with, and has no friends. It's beyond obvious who wants to destroy their power grid, but at this moment Russia has no real downside in revealing their hand. Thus, this is a show of strength.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
That's the thing, they don't have to be to be a problem. That was the ingenious thing with Stuxnet... It had two parts, the worm that infected internet connected hosts, and the thumbdrive vector that allowed it to jump the air gap. It's entirely likely that it originated with infected thumb drives that were dropped in parking lots/buses/etc... frequented by the Engineers working on Iran's nuclear programme. People being people, they stuck the thumb drives into their machines, on either side of the air gap, and then the worm spread through the isolated side of the network, infecting the PLCs driving their centrifuges.
That said, I operate the network for an organization that has their own private power system (small hydro-electric system isolated from the main grid). As much as I would like to physically isolate our power control network from our main operational network, it's unfortunately not practical. Instead the main control of the turbines, exciters, generators and such is strongly firewalled, and then the load shedding components in the rest of the campus are on an isolated VLAN. There is additional protection through strategic use of VRFs and the like. Is it perfect? no, but it's the best I can do.
...si hoc legere nimium eruditionis habes...
In the old days, I.e. Before 1994 when most of the US deregulated, a utility company could gold plate their EMS SCADA and pass all the costs on to us residential consumers in the name of reliability services. Once they had to compete, you start seeing cost saving measures like VPN arrive, and yes, there was a time when one would say Why Is this on the Internet?!? The 2001 terrrorist attack led to CEII rules, but people were getting complacent by 2007. The DOE ran a project called Aurora that scared the crap out of utility companies, partly so they could get the industry to adopt hardening standards and government oversight. Today, there is a mix of access technologies, whitelisted firewalls with multi factor auth, but also an awareness of attack vectors through phishing and social engineering. Why crack a system when an employee could carry the payload into the complex?