Industroyer and Lessons for the Enterprise
Last week, security researchers from Dragos and ESET published their analyses of newly discovered malware, deployed to attack portions of the Ukrainian power grid in late 2016. This malware, dubbed “Industroyer” (also “CrashOverride”), was novel because the software was specifically crafted to natively speak the network protocols used by these industrial control systems. It has the capability to manipulate the devices to cause both power outages and cause physical damage to the infrastructure.
These capabilities mean that the malware poses a threat not just to the critical infrastructure of Ukraine, researchers say, but to other power grids around the world, including America’s. “This is extremely alarming for the fact that nothing about it is unique to Ukraine. They’ve built a platform to be able to do future attacks,” according to Robert M. Lee, the founder of the security firm Dragos.
Last December Ukraine’s power grid was taken offline believed to be by Russia, but not proven. Wired reported that:
“Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated, the ESET and Dragos researchers say. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.”
Fortunately, damage from this particular attack was relatively minor. The malware was apparently delivered via a standard phishing attack, and there was no built-in propagation mechanism. Security researchers theorize that its usage in Ukraine was possibly a test run or practice for a future, larger attack.
The primary enabling factor here is that industrial control systems (SCADA) are often fundamentally insecure:
As products of a more innocent time, the major SCADA protocols were never designed for security. “We use the term ‘insecure by design,’” said veteran SCADA security guru Dale Peterson. “You can switch relays on and off without any authentication. Everything an attacker would want is a documented feature of the device”.
Put another way, the ability to send network packets to these systems is a privilege that must be controlled by the network, since there is no application-level authentication or authorization. In some ways, this is no different from the ability of unauthenticated attackers to remotely exploit vulnerabilities such as WannaCry, Heartbleed, POODLE, or any of the well-known vulnerabilities in enterprise applications.
Treat Enterprise Systems as if they’re as Insecure as SCADA systems
A key takeaway should be that while our enterprise systems and applications aren’t as insecure as these SCADA systems, we should treat them as if they are. That is, we must assume that a malicious actor can easily bypass any application security, and attack our systems simply by being present on the local network segment.
To secure our typical enterprise environments, we must change our approach and ensure that only authorized people can communicate with our applications over the network. This is best accomplished by taking an identity-centric approach to security, which aligns network and application-level enforcement.
This approach, which gives users an automatically-created, individualized view of the network – a segment of one – leverages user attributes and expressive policy to precisely control which resources users can access, and under what conditions.
For example, the system may detect if a user’s device is not running anti-virus software, and prevent them from accessing sensitive IT systems. Or, it may detect when they roam from the corporate network to their home network, and prompt for a one-time password prior to permitting access.
Most of us operate within a security ecosystem that’s less vulnerable than these SCADA systems attacked by Industroyer. But they’re imperfect, and attackers are well-aware of these imperfections. We must better protect our networks, and utilize a modern security platform that’s adaptable, extensible, and relies on automation to meet our speed and scale requirements. Most importantly, because this new approach enforces the principle of least privilege at the network, it helps protects us against both known and unknown vulnerabilities.