ICS-CERT Reports on December Ukraine Power Outage

This afternoon the DHS ICS-CERT published an incident response alert for the power outages in the Ukraine that occurred on December 23^rd, 2015. ICS-CERT reports that “that power outages were caused by remote cyber intrusions at three regional electric power distribution companies”.

The Report

ICS-CERT reports that the attacks on multiple facilities occurred within 30 minutes of each other. The actual power outage was caused by attackers remotely shutting off breakers either thru “existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections”. To hamper recovery efforts, the attackers:

• Used KillDisc malware to over-write HMI interfaces embedded on remote terminal units (RTU);

• Corrupted firmware on Serial-to-Ethernet communications devices at substations; and

• Scheduled disconnects of UPS devices via their remote management interfaces.

The Alert also reported the previously identified fact that BlackEnergy malware had been detected on systems of the affected utilities, but ICS-CERT noted that they “do not know whether the malware played a role in the cyber-attacks”.

The report contains a relatively lengthy section on mitigation measures for industrial control systems. In addition to the measures reported in the ICS-CERT defense-in-depth strategies publication, the report recommends:

• Implementation of information resources management best practices;

• Develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event that their ICS is breached;

• Use Application Whitelisting (AWL) to detect and prevent attempted execution of malware uploaded by malicious actors;

• Isolate ICS networks from any untrusted networks, especially the Internet; and

• Limit Remote Access functionality wherever possible.

The report concludes by reporting that in addition to the previously identified YARA rules for the identification of BlackEnergy infections additional indicators of compromise developed for this incident can be found in a restricted distribution (TLP Green) publication (IR-ALERT-H-16-043-01P) on the US-CERT Secure Portal.

The Response

The response on TWITTER® was fairly quick this afternoon and was generally less than positive. Most of the negatives were about the lack of detailed data and the references in the report to the lack of technical information available to investigators. A good summary of these concerns about the report deficiencies has been provided in a Sans blog post by Robert M. Lee.

A major concern seems to be that this is more of a political document than a technical report. It has been suggested that the information in this alert should have been releases weeks ago by a political appointee and that this report should have provided more technical analysis that would aid system owners in the United States in detecting, delaying and stopping this type of attack.

Commentary

While certainly overdue (the facts in this report have been publicly reported by a number of cybersecurity organization weeks ago) this report is important because it is an official statement by the US Government that a successful cyber-physical attack did take place against electrical utilities in the Ukraine. What is missing from that declaration, however, is an equally clear statement that a similar successful attack could occur in the United States.

The mitigation measures suggested by this report are important tools in preventing a malware based cyber-attack. What is missing is an admission that even if these measures (with one exception) had been in place in the affected utilities, that the attack would still have been successful. None of the security measures address the fact (not reported here) that the BlackEnergy malware that was put into place by a phishing attack allowed the attackers to gain authorized access to the control systems to execute their attacks that shut down the breakers.

The only mitigation measure mentioned that might have addressed this attack avenue is found in one sentence: “Remote access should be operator controlled, time limited, and procedurally similar to ‘lock out, tag out’.” Even this may not have been adequate since the attackers were using operator level access. A more expansive discussion of what the terms ‘operator controlled’ and ‘time limited’ actually mean may have shown how they could have been used prevent this attack.

The main point of that mitigation measure should have been that remote access should be viewed as a non-standard condition that requires formal management risk assessment and approval; the well-established ‘lock out, tag out’ process. Systems legitimately requiring remote access should have to be taken off-line, physically isolated from the controlled process and then have to be verified operational before they are placed back in-line. This would have stopped the actual attack that shutdown power distribution in the Ukraine in December.

If the ICS-CERT restricted distribution report does have more complete (and effective) indicators of compromise (IOC) than just the BlackEnergy YARA rules, it is disappointing that those indicators were not released in today’s report. Certainly, the initial distribution of IOC, should be limited to critical infrastructure facilities that are likely to be affected by a similar attack. This allows those facilities to take effective measures to search their systems for such indicators and take appropriate mitigation measures.

At some point, however, the remainder of the control system community (owners, vendors, researchers and commentators) needs to be made aware of those IOC. This would allow owners of non-critical infrastructure to take measures (as appropriate) to prevent such attacks on their systems. More importantly it would allow for a more general discussion of the associated vulnerabilities that could lead to prevention of related attacks or development of more effective or cheaper mitigation measures.

We all have to remember, however, that this is the first time that ICS-CERT was allowed to report on an actual successful control system attack resulting in a cyber-physical effect. For what appears to be obvious reasons in hind-sight, ICS-CERT effectively ignored Stuxnet. So, ICS-CERT (and the politicians that control it) are still trying to figure out what they are going to do with actual, clearly identified attack information.

If, as it appears, ICS-CERT is withholding information at this late date (two months since the attack) about details of indicators of compromise, it bodes ill for the DHS mandate to establish a cybersecurity information sharing process. Information about IOC is the main thing that the private sector wants from DHS. If they are not willing to share that information, there is no need for the private sector to share information about attacks with DHS.