The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure.
What is the CrashOverride malware and how dangerous is it?
Chuck Brooks, 2017 Cybersecurity Marketer of The Year & Vice President of Government Relations & Marketing at Sutherland explains for IIoT World: “The "Industroyer" is a malware threat that has serious implications for critical infrastructure cybersecurity. It is difficult to detect because it relies on industrial protocols rather than "zero-day"software to infect targets. Researchers from the security firm ESET describe the malware as the most sophisticated to hit industrial control systems since Stuxnet. I concur with their assessments of the lethality and sophistication of the threats. In the specific case of power plants, the Industroyer malware can seize and control electricity substation switches and circuit breakers directly, causing blackouts. This was demonstrated in Ukraine attacks. More ominous, is that the Industroyer malware is modular and can be customized and target other critical infrastructure, including transportation with similar industrial protocols.”
“With all of the buzz around Industroyer being “the next Stuxnet,” you’d think it was one of the most sophisticated threats out there, but with no zero days in the Industroyer payload, the significance of this malware as a stand-alone event is small.
Security for critical infrastructure assets like industrial control systems is important, but we need to remember that malware like Industroyer, or WannaCry, represent the new normal of today’s fast-paced security environment and require a different approach. There’s no way to be strategic about your security if you’re always reacting to the threat of the day.
“It's easy to hit the snooze button and ignore these kinds of wake-up calls - especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power. This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path."
The lessons for IIoT
“The lessons for IIoT is that cybersecurity is a software, hardware, and protocol issue. Where there are any vulnerabilities, hackers will attack. There are no failsafe remedies, but the risks to critical infrastructure must be prioritized and investments must be made in upgrading security posture by both governments and the private sectors. This prioritization will require a strong risk management approach, layering of defenses, and adding new technologies and policies to enable detection of threats. The real challenge across the wide and diverse critical infrastructure attack surface is to mitigate malware threats quickly before any major damage is done.” Chuck Brooks
John Chirhart completes: “As cloud and IoT break down the distinction between operational technology like ICS/SCADA and information technology like laptops and mobile devices, most security vendors have failed to innovate at the rate of change, so the convergence of modern IT and OT computing assets is leaving customers struggling to discover and secure all of the devices on their networks.
Single use “best of breed” security products are no longer enough. CISOs need a unified view from a single platform that can draw on active, passive and agent scanning to see everything from containers to MRI machines. Stop chasing the latest headline-breaking threat and instead, implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise. That’s what separates a world-class cyber organization from a mediocre one.”
Ken Spinner, VP of Field Engineering at Varonis thinks that "One of the most effective defenses against large scale cyberattacks on critical infrastructure is to establish separate, air-gapped networks that provide a physical line of defense. Separating core power systems from each other and the greater Internet can help mitigate attacks."
As a conclusion about the report that was published yesterday by ESET and Dragos, Ian Thornton-Trump, Head of Security at ZoneFox, says: “The recent CrashOverride report from Dragos identifies a sophisticated, nation state sponsored attack capability which was targeted on the Ukraine to further advance a political agenda. The world-wide security community was involved in the discovery, analysis and response to the Ukraine power grid attacks. This unity in researching and understanding the threat and ways to counter that threat brings some comfort to Industrial Control System (ICS) operators all over the world. It is somewhat disappointing this research took a fair amount of time to become public. One would think a cyber-attack of this level and sophistication targeting the power grid would have elicited a considerable and substantial effort from opposing nation state members concerned about their own ICS exposure to this attack.”