Implications of the DHS Alert on the Ukrainian Hack to US electric grids and nuclear plants

Feb. 29, 2016

The December 2015 Ukrainian hack can happen in the US despite the statements made to the contrary. DHS reiterates that BlackEnergy is in the US grid and that control systems should not be connected to the Internet.

On February 23, 2016 I gave the keynote at the National Academy of Science, Engineering, and Medicine’s Government-University-Industry Research Roundtable on control system cyber security. I mentioned that the children’s book - The Emperor Wears No Clothes - reflects the current regulatory and industry thinking about cyber security of the electric grid.

On February 25, 2016 DHS ICS-CERT issued an Alert on the cyber-attack against Ukrainian critical infrastructure. The Alert emphasized that organizations should isolate ICS networks from any untrusted networks, especially the Internet. According to the DHS ICS CERT Monitor dated May-June 2015, “Some asset owners may have missed the memo about disconnect­ing control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cyberse­curity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without prop­erly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the con­trol environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” Obviously many end-users and system integrators have disregarded such advice as evidenced by Project Shine’s tally of over two million direct Internet connections to ICS systems and devices and the DHS disclosure. A similar statement can be made of many vendors judging by the continued enthusiasm for the industrial Internet of things.

The DHS Alert stated that the attackers rendered serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the attackers reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. As identified in Project Shine, many serial-to-Ethernet converters and UPS remote management interfaces are directly connected to the Internet. However, neither serial-to-Ethernet converters or UPS remote management systems are directly included in NERC CIP or NEI-0809/Regulatory Guide 5.71 scope.

The affected Ukrainian companies believe that the attackers acquired legitimate credentials prior to the cyber-attack to facilitate remote access. As Jake Brodsky pointed out, “securing an ICS network with a VPN is pointless if the keys aren't also secured.” As the knowledge was gathered using BlackEnergy, it becomes critical to the US as BlackEnergy malware is in the US grids (see above) and there is no NERC CIP or NEI-0809/Regulatory Guide 5.71 requirement to remove this (or any other) malware.

All of the affected Ukrainian substations were low-level transmission or distribution. Consequently, those substations would be out-of-scope for the NERC CIPs. However, the initial NERC (ES-ISAC) response stated: “There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident.”  Unless you believe in the book, The Emperor Wears No Clothes, it has been amply demonstrated in the Ukraine and by the DHS disclosure that existing regulations and guidance are inadequate to protect the US grid. Why hasn’t NERC changed their message? The grid is obviously at risk. Where is FERC?  Nuclear plants are also at risk. Where is the NRC?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...