June 20, 2017
Following reports that a brief blackout in Ukraine's capital Kiev last December was likely caused by newly discovered malware that targets physical processes in electricity sector industrial control systems, cybersecurity firms ESET and Dragos have now released their reports of the malware, which the two firms have respectively labelled Industroyer and CrashOverride.
The malware presents a serious threat as it employs network protocols common to grids in Europe, Asia and the Middle East, reported Liam Tung in Computerworld. ESET sees it as the 'biggest threat to industrial control systems since Stuxnet, the presumed US-Israeli cyberweapon that targeted a nuclear enrichment facility in Iran. It's the only known piece of malware since Stuxnet that is designed to interfere with physical industrial processes.'
The protocols allow operators to use remote terminal units to directly control substation switches and circuit breakers, for example, to help balance power across a grid. The concern centres on the new malware's ability to be quickly reconfigured to target other energy networks across the world, according to the researchers.
Dragos' report points to the ongoing balance needed by the security community when informing the public versus empowering adversaries with feedback on how they are being detected and analysed.
The current scenario is even more critical as there is no simple fix. It is not an aspect of technical vulnerability and exploitation. It cannot just be patched or architected away although the electric grid is entirely defensible. (See - 'Crashover' malware for power sector can cause black outs)
Human defenders leveraging an active defines such as hunting and responding internally to the industrial control system (ICS) networks can ensure that security is maintained.
Malaysia's ICS preparedness
Prompted by the release of the two reports, Russian headquartered cybersecurity provider Kaspersky Lab's Malaysia-based SEA general manager Sylvia Ng said: "We saw this in the 2015/2016 attacks on the Ukraine power grid, widely attributed to the threat actor known as Black Energy, a group we have monitored and reported on multiple times over the years."
"The malware described in the new report appears to be a highly sophisticated threat, the result of significant investment in technology and a deep understanding of how industrial control systems work," said Ng, adding that Kaspersky Lab's researchers have detected samples from this campaign under the family Trojan.Win32.Industroyer.
She said Kaspersky Lab has detected recent ICS attempts in June 2016 - described in its Securelist Blog: Nigerian Phishing Industrial companies under attack - where following well-crafted phishing emails, which carried an exploit for a vulnerability dating back to 2015, were sent to industrial companies from the metallurgy, electric power, construction, engineering and other sectors. Kaspersky Lab researchers found more than 500 attacked companies in more than 50 countries. Most of these companies are industrial enterprises and large transportation and logistics corporations.
On the heels of Malaysia retaining the 3rd spot in the second Global Cyber Security Index 2017 report for preparedness [by Switzerland-based International Telecommunications Union, ITU], CyberSecurity Malaysia's chief executive officer Dato' Dr. Haji Amirudin Abdul Wahab (pic below) talked with Computerworld Malaysia on the country's state of ICS readiness.