Ukraine Cyber-Induced Power Outage: Analysis and Practical...
33
Copyright © SEL 2016 Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith Schweitzer Engineering Laboratories, Inc.
Transcript of Ukraine Cyber-Induced Power Outage: Analysis and Practical...
Copyright © SEL 2016
Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation
Strategies
David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith
Schweitzer Engineering Laboratories, Inc.
• Targeted more than 50 substations• Left 225,000 customers without power for up to 6 hours
Cyber Attack on the Ukrainian Power GridDecember 23, 2015
KyivPrykarpattia
Chernivtsi
Ukraine Distribution Cyber System Overview
Control Center Substation
Overcurrent Relay
Call Center
Backup UPSs
Corporate Network
HMI
HMI
Port ServerRadio
SCADA Network
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Opening an attachment with a macro installs BlackEnergy3
Stage 1: Spear Phishing – March 2015
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Malware provides initial backdoor access
Stage 2: Access Corporate Network
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Active Directory®
credentials obtained
Stage 3: Theft of User Credentials
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Encrypted tunnel to the control center networks
Stage 4: Create Encrypted Tunnels
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Accessed HMI computers in control center
Stage 5: Gain Access to HMIs
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
HMI used to manually open breakers
Stage 6: Manipulate Circuit Breakers Attack Occurs on Dec 23 2015 @ 3:30 PM
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Attacked call centers
• Switched off UPSs
• Corrupted RTU HMI firmware
• Corrupted port server firmware
Stage 7: Additional Attack Actions
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Used KillDisk malware to corrupt hard drives
Stage 8: Destroy Hard Drives
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
System operated manually
Power Restored Within Six Hours!
• Still replacing corrupted equipment• Enhancing network security • According to ICS-CERT Adversary most likely still present
Other sectors are probably vulnerable
SCADA Systems Are Still Operating in a Degraded State
• Identify risk• Create a defense-in-depth
model • Implementing effective
controls
Creating a Robust Control System Architecture
Level 5: Perimeter
Level 4: SCADA
Level 3: Access
Level 2: Automation
Level 1: Protection
Level 0: Physical
Enterprise Network
DIGITAL
ANALOG
IT
OT
H2M
M2M
Leve
l 6: P
eopl
e
Level 5: Perimeter
Level 4: SCADA
Level 3: Access
Level 2: Automation
Level 1: Protection
Level 0: Physical52
Level 6: People
Firewall/VPN
TDM
Switch
HMI PC
PLCSwitch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
• Typically no digital communication
• Limit physical access
Level 0: Physical – Measures and Operates
• Limit direct user interaction
• Monitor internal diagnostics
• Monitor alarms
Level 1: Protection – Isolates and Clears Faults
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
• Continuously monitor Settings
Firmware configurations
• Collect and aggregate alarms
Level 2: Automation – Protection and Control
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
Separate, restrict, and filter H2M from M2M Authorization
Authentication
Accountability
Level 3: Access – Segregates H2M From M2M
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
• Integrate traditional IT controls
• Monitor networks with IDS/IPS/NAC
Level 4: SCADA – Interfaces With Control System
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
• Implement multifactor authentication
• Segment network
Level 5: Perimeter – Isolates Control System
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
NEVER connect your ICS to the Internet!
• Apply least privilege
• Create awareness
• Develop and exercise contingency plans
Level 6: People – Policies, Procedures, Training
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
Control Center Substation
Overcurrent Relay
Call Center
Backup UPSs
Corporate Network
HMI
HMI
Port ServerRadio
SCADA Network
Comparing Ukraine System and Security Model
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Training• Email security
controls Remove
attachments
Scan attachments
Stage 1: Spear Phishing
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Stage 2: Access Corporate Network
• Antivirus• IDS/IPS/NAC• Host-based
firewalls
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• User least privilege
• Password rotation
• Strong credentials
• IDS
• Syslogs
Stage 3: Theft of User Credentials
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Granular VPN rules
• Multifactor authentication
• Monitoring
Stage 4: Create Encrypted Tunnels
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network• Network
segmentation• Strong firewall
rules• User least
privilege
Stage 5: Gain Access to HMIs
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Strong authentication
• Quick isolation• Incident planning
Stage 6: Manipulate Circuit Breakers
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Firmware validation
• Hardware backups
• Data backups• Recovery
procedures
Stage 7: Additional Attack Actions
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Antivirus• Hardware
backups• Data backups
Stage 8: Destroy Hard Drives
• Unfortunate event that disrupted numerous households• No single security or network deficiency allowed
malicious actors to achieve their objective• Determined malicious actors can exploit a system that
is not based on defense-in-depth design principles
Ukraine Incident Summary
• Use a layered security approach• Proper cybersecurity includes people, hardware,
software, policies, and procedures• Ukraine incident encourage all of us to reevaluate our
security measures protecting our cyber-based assets
Conclusions
Questions
