Implications of the DHS Alert on the Ukrainian Hack to US electric grids and nuclear plants

On February 23, 2016 I gave the keynote at the National Academy of Science, Engineering, and Medicine’s Government-University-Industry Research Roundtable on control system cyber security. I mentioned that the children’s book - The Emperor Wears No Clothes - reflects the current regulatory and industry thinking about cyber security of the electric grid.

On February 25, 2016 DHS ICS-CERT issued an Alert on the cyber-attack against Ukrainian critical infrastructure. The Alert emphasized that organizations should isolate ICS networks from any untrusted networks, especially the Internet. According to the DHS ICS CERT Monitor dated May-June 2015, “Some asset owners may have missed the memo about disconnect­ing control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cyberse­curity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without prop­erly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the con­trol environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” Obviously many end-users and system integrators have disregarded such advice as evidenced by Project Shine’s tally of over two million direct Internet connections to ICS systems and devices and the DHS disclosure. A similar statement can be made of many vendors judging by the continued enthusiasm for the industrial Internet of things.

The DHS Alert stated that the attackers rendered serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the attackers reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. As identified in Project Shine, many serial-to-Ethernet converters and UPS remote management interfaces are directly connected to the Internet. However, neither serial-to-Ethernet converters or UPS remote management systems are directly included in NERC CIP or NEI-0809/Regulatory Guide 5.71 scope.

The affected Ukrainian companies believe that the attackers acquired legitimate credentials prior to the cyber-attack to facilitate remote access. As Jake Brodsky pointed out, “securing an ICS network with a VPN is pointless if the keys aren't also secured.” As the knowledge was gathered using BlackEnergy, it becomes critical to the US as BlackEnergy malware is in the US grids (see above) and there is no NERC CIP or NEI-0809/Regulatory Guide 5.71 requirement to remove this (or any other) malware.

All of the affected Ukrainian substations were low-level transmission or distribution. Consequently, those substations would be out-of-scope for the NERC CIPs. However, the initial NERC (ES-ISAC) response stated: “There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident.”  Unless you believe in the book, The Emperor Wears No Clothes, it has been amply demonstrated in the Ukraine and by the DHS disclosure that existing regulations and guidance are inadequate to protect the US grid. Why hasn’t NERC changed their message? The grid is obviously at risk. Where is FERC?  Nuclear plants are also at risk. Where is the NRC?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • This article clearly demonstrates why compliance based methodologies and risk management driven approaches to critical infrastructure protection are inadequate and not robust enough to provide the assurances necessary for ICS security. As an ICS security practitioner, I personally believe that we need to incorporate an engineer and architects view of what can go wrong in these systems - right from the bits getting manipulated in the firmware of field devices to fuzzing to encryption keys getting stolen etc.

    Reply

RSS feed for comments on this page | RSS feed for all comments