It’s 2015, two days before Christmas. A local operator of Prykarpattya Oblenergo, a Ukrainian power plant, discovers someone has taken control of the network. The cursor is moving on the Human Machine Interface (HMI) and is remotely switching off breakers. The operator attempts to regain control of the supervision interface, but gets logged off and is unable to log on again, because the password has been changed.
The attack was well prepared and started approximately eight months earlier with BlackEnergy malware that was embedded in an Excel file, which was downloaded by an employee. At this stage, the hacker managed to breach only one office laptop, but it did allow him to gather intelligence about the company’s infrastructures and networks in preparation for the attack.
During the second stage the malware collected data from several hosts, scanned the IT network, detected an open connection from an IT system (office network) to an OT (Industrial Control System) supervision platform and gained access to the OT network. It collected OT component information and installed ready-to-trigger malware components on both the IT and OT systems. With a so-called exploit it harnessed specific vulnerabilities and cancelled out the gateways, which was part of the next phase – the actual attack.
When the operator triggered the malware on that day in December, pre-installed malware was used to remotely take control of the HMI and turn off most of the grids’ switch gears. To make sure the operator wouldn’t be able to take back control, the hacker wiped out many disks and overwrote the Ethernet to Serial gateway firmware with random codes, turning the device into unrecoverable pieces.
To increase the impact, the hacker launched a Denial-of-Service (DoS) attack on the call center to prevent customers from contacting the distributor. Additionally, the
uninterruptible power supply was switched off, thus shutting down the power of the control center.
Why firewalls weren’t sufficient
The company used firewalls as a way to secure their systems. But although the setup had been properly done, the hacker was still able to gain access to the OT via the IT, by hacking just one laptop on the IT. Could this have been prevented?
It all started with an employee opening an attachment. It is difficult to prevent people from opening malware-infected emails, particularly when the email looks legitimate. Another action that could have stopped the actual attack was pulling the cable connecting the OT to the IT network. Realistically, untrained operators cannot be expected to take such disruptive actions in a stressful situation. Also, mistakes are then easily made.
However, if the company would have had monitoring tools in place, they would have detected during the infection fase, that a command and control connection was operational. They would have seen that it came from an outside-network source and could have taken countermeasures. Additionally if instead of a Firewall a data diode had been installed between the IT and the OT network, such a command & control connection could not have been established to begin with. The data diode solution would have prevented data being sent from the IT network to the OT network. In this particular case with the intention of compromising the OT network.
Data diode to protect the company’s OT
With a data diode you segregate your OT network from the rest by establishing one-way communication from your OT to your IT. A real data diode is a pure hardware device which has no logic and no IP address. If for some reason, despite all precautions, an attack does take place, it cannot compromise your OT environment. To not be dependent on protocols and human error, a data diode can prevents such disasters and make sure your critical infrastructure is safe.
Source: ‘Ukrainian power grids cyberattack’, by Patrice Bock, in collaboration with Jean-Pierre Hauet, Romain Françoise and Robert Foley in InTech, March/April 2017.
More information about Fox-IT’s DataDiode is available on our website.