Ukraine: learning from the cyberattack

The cyberattack that led to the power outage in Ukraine in December 2015 underlined how electricity infrastructure is a prime target for attackers. Yet the implications of the attack must be taken seriously by all those responsible for other critical infrastructure such as water, gas, telecoms and transport. In fact, all users of operational technology (OT) are vulnerable, and that includes almost every organisation because OT is more pervasive than many realise and its importance is increasing exponentially with the emerging internet of things (IoT) revolution.

Even if you do not operate critical infrastructure, your business is likely to rely on OT to produce and deliver goods and services (the building management system that keeps your data centre and offices cool, lit and secure is an OT system). That vulnerability means there is a real and urgent need to develop a comprehensive, multi-faceted approach to defending OT.

What questions should you be asking?

The first is: Do you know who is responsible? Do they know they are responsible and what they are responsible for? Time and again we find organisations are not able to answer these questions. Yet proper OT security governance requires clear roles and responsibilities, and those fulfilling the roles must have the necessary knowledge, authority and resources to carry out their responsibilities, and be supported from the very top of the organisation. If not, individuals with security concerns will find themselves unable to act, because of a lack of a sound governance structure and management support.

 THE UKRAINE ATTACK IN FACTS

• Date 23 December 2015.
• 225,000 people were left without power for several hours.
• 17 substations lost power.
• Attacks began six months before the main attack with emails to Ukraine’s power utility containing Microsoft Word documents that, when opened, installed malware.
• The BlackEnergy 3 malware let the hackers gather login details, which allowed them to remotely access vital controls and, ultimately, shut off the power.
• They jammed company phone lines, making it hard for engineers to determine the extent of the blackout.

The next set of critical questions are: do you know what OT you have in your organisation, what is critical for safe and reliable operations, and what would the impact of a security failure be? Do you know what the vulnerabilities are and the current state of security of the OT? In short, organisations must understand the risks they face; without this information, they cannot make rational decisions on what to do and where to focus their efforts.

Then they must check they are capable of dealing with an attack when it happens. That means understanding how likely they are to detect an attack in progress, whether is a deliberate attack from outside or from within the organisation, or an accidental virus infection. The key questions here are: do you have the structure and skills to deal with an incident and how quickly can you recover to run normal operations? To answer these questions, you must have practised dealing with an incident.

All this needs to be underpinned by an understanding that, at some time, you will have an OT security incident. It might be minor and not cause disruption, damage or injuries. But it could be far more serious, and that is the wrong time to be working out what to do and to discover that your backup files are unreadable.

 

Take a structured approach

There are several frameworks that provide a structured, comprehensive approach to answering these questions and improving OT security. The UK’s Centre for the Protection of National Infrastructure (CPNI) Security for Industrial Control Systems (SICS) framework provides an excellent basis to address these issues. It includes advice on governance, people skills and culture, and managing security through the system lifecycle from design to decommissioning. It also sets out how to monitor vulnerabilities, manage third parties and the supply chain, and security incident response.

The benefits of using a framework are that it gives organisations access to the experience and best practice of others and ensures nothing important is overlooked. It also provides the basis for assessing where they are now and where they want to be, so they can design a clear programme that reflects their own starting position.

It also allows them to deal with the full range of vulnerabilities in a coherent way. The Ukrainian attack, had it been envisaged in advance, would probably have been dismissed as so unlikely to happen it could be ignored. Yet, disregarding high-impact but low-probability scenarios is dangerously complacent, underling the need for a comprehensive approach.

SYSTEM BREACH: OTHER NOTABLE ATTACKS

• TalkTalk: 21 October 2015
• 157,000 sets of personal details accessed.
• 15,600 bank details and sort codes stolen.
• lost 101,000 customers and suffered costs of £60 million as a result.
• British Gas: 29 October 2015
• 2,200 customers had their email addresses and passwords posted online.
• British Gas does not think its own systems were breached.
• RWE’s Gundremmingen nuclear plant: 27 April 2016
• Viruses were found on office computers, 18 USB sticks and in a system used to model the movement of nuclear fuel rods.
• RWE said the infection posed no threat to the plant because its control systems were not linked to the internet, so the viruses could not activate.
• Staff found the viruses as they prepared to upgrade the computerised control systems for the plant’s Block B, which was offline undergoing maintenance.
• Among the viruses were two well-known malicious programs – W32.Ramnit and Conficker.

Action is needed now

It is clear that a good OT security programme can help prevent, detect and recover from an attack. If the Ukrainian power grid had better security awareness and training it may have blocked the phishing attack that enabled BlackEnergy to be installed on the corporate network. Good security monitoring should have detected BlackEnergy in the network: it is not a new piece of software. Equally, better segregation of the corporate and OT networks might have stopped the attackers gaining access to the OT systems. Monitoring within the OT may have detected the unauthorised access and the system could have been isolated, preventing the attackers shutting down the substations and loading new firmware on to the protocol converters that disabled remote access for the operators.

The impact of the Ukraine attack was reduced because the power companies were able to restore supply to their customers quickly, but only because they had the ability and manpower to operate the power system manually. However, it is believed they were unable to recover the OT systems quickly and have had to run with manual control for months after the attack.
What happened in Ukraine should serve as a reminder that many organisations are vulnerable to cyber-attacks. However, there are effective frameworks available that can reduce that vulnerability and that enable an organisation’s OT to be defended to more effectively.
What is essential is a clear recognition of the risk, and support from senior leaders to put the right structures and support in place – and to do so now.

Andrew Wadsworth, managing consultant, global energy and utilities, PA Consulting Group

---

Comments

Login on register to comment

Login Register