Scribd
Upload
99 views21 pages

CrashOverride ADMS

The document discusses the CrashOverride malware platform which was used in a 2016 cyberattack against the Ukrainian power grid. It summarizes the malware's capabilities, including scanning and mapping industrial control systems to issue commands to circuit breakers. It then provides recommendations to mitigate risks, including applying the "Seven Steps to Effectively Defend Industrial Control Systems" and increasing security awareness of employees.

Uploaded by

Pedrito Orange
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views21 pages

CrashOverride ADMS

The document discusses the CrashOverride malware platform which was used in a 2016 cyberattack against the Ukrainian power grid. It summarizes the malware's capabilities, including scanning and mapping industrial control systems to issue commands to circuit breakers. It then provides recommendations to mitigate risks, including applying the "Seven Steps to Effectively Defend Industrial Control Systems" and increasing security awareness of employees.

Uploaded by

Pedrito Orange
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

CrashOverride - ADMS protection

Confidential Property of Schneider Electric


WEF Global Risks Landscape 2017

Confidential Property of Schneider Electric | Page 2


Emerging Threats to Cyber-Physical Systems

source: Enisa, Threat Landscape Report January 2016


Confidential Property of Schneider Electric | Page 3
Ukraine Power Grid Cyber-attack

• Cyber-attack on Kiev, Ukraine transmission substations on December 17th 2016


• It was part of series of malicious hacks that have recently targeted key Ukrainian infrastructure, including the country's
rail system server, several government ministries, and a national pension fund

• Result was a power outage that left customers without electricity


• Lasted for about an hour, parts of Kiev were subjected to total darkness

• The attack was not meant to have any lasting dramatic consequences
• Attackers could do many more things

• It was more like a demonstration of capabilities

• Attack was performed using CrashOverride malware platform

Confidential Property of Schneider Electric | Page 4


Risk to ADMS

• Malware does not actively exploit any weaknesses in the ADMS solution
• Appropriate OS updates were issued by Microsoft
• Approved for use on the ADMS platform

• However:
• There is a risk as ADMS communicates with field devices using the affected protocols and it runs on the affected OS
platform, which is vulnerable if unpatched

• Technical analysis to date suggests a wide range of capabilities and we encourage all asset owners to
ensure that they follow the security recommendations included in this document

Confidential Property of Schneider Electric | Page 5


CrashOverride (Win32/Industroyer)

• Represents a scalable, capable malware platform


• The modules and capabilities publically reported appear to focus on organizations using ICS protocols:
• IEC 60870-5-101 (IEC 101)

• IEC 60870-5-104 (IEC 104)

• IEC 61850

• OLE for Process Control Data Access (OPC DA)

• The malware abuses a targeted ICS system’s legitimate control systems functionality to achieve its
intended effect

Confidential Property of Schneider Electric | Page 6


Malware Capabilities

• Actively scans and maps the ICS environment using a variety of protocols
• Enumerate switches and circuit breakers with the intent to automatically open/close them in a later attack stage

• Issues valid commands directly to remote terminal units (RTUs) over ICS protocols
• One such command sequence toggles circuit breakers in a rapid open-close-open-close pattern

• Includes a wiper module that renders Microsoft Windows systems inert, requiring a rebuild or backup
restoration
• Denies service to local serial COM ports on windows devices
• Prevents legitimate communications with field equipment over serial from the affected device

• Might exploit Siemens relay denial-of-service (DoS) vulnerability


• Leads to a shutdown of the relay

Confidential Property of Schneider Electric | Page 7


Simplified Components

source: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Confidential Property of Schneider Electric | Page 8


Detection

• Traditional methods of detection may not be sufficient to detect infections prior to the malware executing
• Implement behavioral analysis techniques to attempt to identify pre-cursor activity to CrashOverride
• Detect an anomaly in the system’s regular operation using tools like:
– SIEM

– host monitoring

– network monitoring

Confidential Property of Schneider Electric | Page 9


Impact

• Disruption to regular operations


• Might be leveraged to carry out attacks similar to the attack on DSOs in the Ukraine, but on a higher scale via automated
command execution

• Temporary or permanent loss of sensitive or proprietary information


• Financial losses incurred to restore systems and files
• Potential harm to an organization’s reputation

Confidential Property of Schneider Electric | Page 10


Mitigation and Recommendation Solution

• There is no set of defensive techniques or programs that will completely avert all attacks
• Layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the
likelihood of detection
• Apply measures given in Seven Steps to Effectively Defend Industrial Control Systems document created
jointly by DHS, FBI and NSA (link)
1. Application whitelisting

2. Ensure proper configuration/patch management

3. Reduce attack surface area

4. Build a defendable environment

5. Manage authentication and authorization

6. Implement secure remote access

7. Monitor and respond


Confidential Property of Schneider Electric | Page 11
Implementation of Seven Measures in ADMS
1. Application Whitelisting

• Antivirus and integrity check tools


• Removal of unneeded applications and services
• Microsoft Software Restriction Policy
• Integration with 3rd party application whitelisting tools

Confidential Property of Schneider Electric | Page 12


Implementation of Seven Measures in ADMS
2. Ensure Proper Configuration/Patch Management

• Proper configuration/patch management procedures


• Special management (sub)network
• Configuration/patch update is possible only from specific hosts
• Multiple testing before applying changes to the production environment

Confidential Property of Schneider Electric | Page 13


Implementation of Seven Measures in ADMS
3. Reduce Attack Surface Area

• Isolate network
• Deny by default firewalls configuration
• Regular backups
• DR location

Confidential Property of Schneider Electric | Page 14


Implementation of Seven Measures in ADMS
4. Build a Defendable Environment

• Electronic security perimeter


• Network segmentation to zones
• Firewalls between zones
• Network access control
• Intrusion detection system
• Redundant components

Confidential Property of Schneider Electric | Page 15


Implementation of Seven Measures in ADMS
5. Manage Authentication and Authorization

• Minimal privileges
• Active Directory
• Kerberos
• RBAC based access control
• Only authenticated users can access to the systems’ functions
• No guest accounts
• Special control for highly privileged accounts
• Strong passwords, password complexity and periodical password change
• Different accounts for different zones
• Session management

Confidential Property of Schneider Electric | Page 16


Implementation of Seven Measures in ADMS
6. Implement Secure Remote Access

• Special credentials for remote access


• Limited access
• Secured (encrypted) communication
• VPN

Confidential Property of Schneider Electric | Page 17


Implementation of Seven Measures in ADMS
7. Monitor and Respond

• Log all security related information


• Network traffic

• Authentication attempts

• Applications start-up and shutdown

• Application failures

• Configuration changes

• Request and server responses

• …

• Integration with 3rd party Security Information & Event Management (SIEM) tools to analyze logs
• Access control to logs
• Prevent unauthorized logs modification

Confidential Property of Schneider Electric | Page 18


But… Awareness is of Utmost Importance

• Many breaches were initiated by human negligence


• Opening malicious mails

• Running malicious applications

• Accessing infected sites

• …

• Perform regular security-related training and courses to increase security awareness of employees

Confidential Property of Schneider Electric | Page 19


Useful Links on CrashOverride Malware

• US-CERT - Alert on CrashOverride


• https://www.us-cert.gov/ncas/alerts/TA17-163A

• ESET – Industroyer: A New Threat for Industrial Control Systems


• https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

• DRAGOS – CrashOverride: Analysis of the Threat to Electric Grid Operations


• https://www.dragos.com/blog/crashoverride/CrashOverride-01.pdf

Confidential Property of Schneider Electric | Page 20

You might also like