Researchers Reveal Malware Designed To 'Power Down' Electric Grid

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."

Re:The question at hand:

[Strider-]

That's the thing, they don't have to be to be a problem. That was the ingenious thing with Stuxnet... It had two parts, the worm that infected internet connected hosts, and the thumbdrive vector that allowed it to jump the air gap. It's entirely likely that it originated with infected thumb drives that were dropped in parking lots/buses/etc... frequented by the Engineers working on Iran's nuclear programme. People being people, they stuck the thumb drives into their machines, on either side of the air gap, and then the worm spread through the isolated side of the network, infecting the PLCs driving their centrifuges.

That said, I operate the network for an organization that has their own private power system (small hydro-electric system isolated from the main grid). As much as I would like to physically isolate our power control network from our main operational network, it's unfortunately not practical. Instead the main control of the turbines, exciters, generators and such is strongly firewalled, and then the load shedding components in the rest of the campus are on an isolated VLAN. There is additional protection through strategic use of VRFs and the like. Is it perfect? no, but it's the best I can do.