Richard Jones, VP Grid Security – Bridge Energy Group
Shawn Fountain, Principal Consultant – Bridge Energy Group
Most readers by now have probably heard about the early January announcement of malware found in a Vermont Utility. To those familiar with the cyberattack induced power outages in the Ukraine in December 2015 that cut power to nearly 230,000 customers for several hours, this was not a surprise. While the Ukraine event is the only publicized power outage from a cyberattack, there have been other successful cyberattacks to SCADA and industrial control systems risking our critical infrastructure that represent a clear warning signal for utility organizations.
This article explores the use of analytics and visualization techniques that could assist in the early detection of surveillance activities and malware infestations with the objective to prevent future outages like the Ukraine incident occurring in our back yard.
Ukraine Incident Background
For reference, let’s first review what happened in the Ukraine. The Ukraine attack is an excellent example of a well-planned, multi-threaded approach to gain unauthorized control of an electric system.
1) The initial attack vector was via phishing emails with an attached Microsoft Word document that contained Macros that unleashed the BlackEnergy malware.
2) From there the attackers used a keylogger to steal login credentials.
3) They then moved up and across the network to achieve additional access, until they had the information and access they needed to design and install firmware modifications on:
- Breakers to open them.
- Serial to Ethernet converters to block remote visibility and control.
4) The attackers also rendered operator computers inoperable, and executed a denial of service (DoS) attack via phone calls to overwhelm the call center to delay customers reporting the outages.
The end result of the executed attack included remote control of equipment to cause power outages, while simultaneously clouding operator situational awareness to extend the outage duration.
Addressing Spear Phishing
As mentioned above, the initial entry was via phishing emails with an attachment. Although some users do need to get emails from outside of their controlled environments, such emails mostly being innocuous, additional measures are now called for to protect utility systems.
Email and web content filtering (SPAM filters) could potentially have prevented the phishing emails reaching employee inboxes. In addition, email diagnostics and other processes may have identified the embedded BlackEnergy malware, provided alerts, and quarantined the email to help prevent the attack. And role-based controls for receiving or not receiving emails with attachments would have provided further protection. Many of these tools use business rules and maintain such statistics as:
- Identifying anomalous sources;
- Filtering out emails with micro sized attachments for special analysis;
- Holding or filtering out external emails with the same attachment sent to multiple persons;
- Holding or filtering out external emails from the same unknown source sending separate emails with URL links to multiple persons.
The use of analytics and visualizations could have increased general awareness by collating this information with historic statistics such as the percentage of emails that are phishing, the percentage of phishing emails that made it through to the users, and the percentage of phishing emails where users clicked to open an attachment or URL.
Identify Abnormal Activity
The phishing attack installed the BlackEnergy malware and a keylogger to obtain login credentials. The stolen login credentials were used to install more malware. Network Intrusion Detection Systems (NIDS) could flag irregular activity, such as increased or otherwise irregular inbound data flows from malware being installed. Network Intrusion Prevention Systems (NIPS) could block malware from being uploaded to a network.
The spectrum of identification tools also includes host-based software, network scanning, next-generation firewalls, disparate data correlation and analysis including utilizing data from logs; rule-based alarms, summary dashboards, reporting, and other tools and processes. Automated push alerts and dashboard visualizations also add value in highlighting the anomalies.
Network Security Monitoring (NSM) is the broader practice of monitoring networks and applying analytics to identify intrusions by performing audits across information sources and across time to see abnormalities, including suspect outbound data flows. NSM emphasizes monitoring login patterns, the amount and source of inbound data, the amount and destination of outbound data, and other network statistics. Correlating network data with other information across space and time provides deeper, more intuitive insight. For example, user logins are compared to badge entries to determine if the data implies that a user is in more than one location at that same time.
Identify and Remove Malware
The BlackEnergy malware used in the Ukraine cyberattack as well as other malwares, are readily identified using advanced malware detection and forensic tools. Examples of these include Infocyte, Malwarebytes, and YARA. Each has the objective to proactively identify and eliminate threats before the attack is launched. Ideally, these tools are already in place on critical environments, or they could be launched as a result of an alert of anomalous behavior.
Analytics and visualization can be used to trend results across time to look for upticks or concentrations in malware infestation. That information coupled with additional statistics on when and what the tool was run on, including where it was not run, and when and what it is planned to be run on in the future, highlights weaknesses in controls, potential surveillance activities, and other unauthorized activity. Correlations across time and space may signal a multi-threaded cyberattack.
The addition of a geospatial visualization provides insight into geographic and specific “network areas” that may be more vulnerable or targeted. The concept of a “network area” enhances “visibility” and situational awareness of subnets such as those required by the NERC CIP requirements (ESP and LERC), local plant networks, battery and distributed generations sources, and other clusters of control systems that have connectivity to the operations network.
Reduce the Outage Severity
At the start of the attack actions to trigger the physical outage, an operator noticed the cursor on his computer moving to open a breaker. At that time with specific functionality and procedures in place, the extent of the outage could have potentially been limited. By design key system elements can be designed with an autonomous mode that cuts off remote access. Remotely triggered by operations this action can curb substation to substation penetrations. Analytics assessing the ongoing cyber event would feed associated visualizations.
Predicting the Future
The Ukraine (and now Vermont) experience have demonstrated that at a minimum we need:
- Deep security analytics and appropriate visualizations to create both general and real-time “operational” awareness and visibility into subnets and activities at all plant and substation facilities;
- More analysis on Phishing trends and subsequent targeted training to heighten user awareness and sensitivity;
- Broader use of Advanced Network Monitoring Systems, malware tools and analytics for the early identification of malware;
- Stronger adoption of two-factor authentication for all remote access to SCADA systems and devices, beyond those that are mandated by the current CIP Standards.
While there is no single set of defenses, widely available detection, prevention and removal technologies, coupled with visualizations and underlying analytics, provide a good but not complete defense. People and process must also be leveraged and aligned to deal with the evolving attack vectors and tools.
BRIDGE’s security model provides an excellent framework for utilities to evaluate their overall security posture and to make both strategic and specific tactical improvements in the continuous fight against cyber and physicals attacks.
Together we can stop the next Ukraine type attack.
About the Authors
Richard Jones, VP Grid Security at BRIDGE Energy Group, is a recognized thought leader in Cybersecurity, NERC CIP and general utility regulatory compliance and reporting with over 25 years of energy and utility industry experience providing business, technology and management consulting based services. Prior to joining BRIDGE, Richard held a number of security leadership positions with the big 5 and industry focused consulting firms.
Shawn Fountain, Principal Consultant at BRIDGE Energy Group, has more than 15 years’ experience in the energy space with a focus on software implementations. Fountain is well versed at business process mapping and organizational transformation. He has deep experience in project management and project oversight roles and frequently serves as a subject matter expert for requirements analysis for software implementations.
 For more details see https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B.
 For a more detailed description, see Analysis of the Cyber Attack on the Ukrainian Power Grid; E-ISAC; March 18, 2016.ev