The Radiflow Security Blog
The Ukraine Power Grid Cyber Attack, Five Years Later: An IEC62443-Based Analysis
By Liron Benbenishti, Cyber Security Researcher at Radiflow
On December 23, 2015, Ukrainian power suppliers experienced unscheduled power outages which impacted a large number of customers in Ukraine. In addition, there were also reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors.
Ultimately, the Ukrainian outages, which lasted several hours, affected up to 225,000 customers in three different distribution-level service territories.
In this post I’d like to analyze the attack using the ISA/IEC 62443-3-3 standard, which determines the actual security levels and evaluates the required security level that could have prevented the attack.
Analysis of the Attack
- Initial access of the IT network took place using spear phishing-emails: the adversary delivered a targeted email with a malicious attachment that appeared to be sent from a trusted source to specific individuals within the organizations.
- Reconnaissance on the IT and OT networks and systems using the BlackEnergy malware, which was remotely controlled to collect data over a period of several months.
- The attack propagated from the business network into the SCADA networks, which allowed the attackers to gain control over the power grid. The attackers gained remote access to the HMI which allowed them to remotely switch off breakers.
- The attackers reconfigured the UPS devices responsible for providing backup power.
- Finally, the attackers overwrote the firmware on some of the substation converters with malicious firmware.
- The attackers also launched a denial-of-service attack against customer call centers to prevent customers from calling in to report the outage.
How can the IEC 62443 standard help us estimate the SL-A?
IEC 62443 is the most commonly-used international standard for cybersecurity in Industrial Control Systems (ICS). It provides a systematic and practical approach to cybersecurity for industrial systems. Every stage and aspect of industrial cybersecurity is covered, from risk assessment through operations.
ISA/IEC 62443-3-3 lists 51 system requirements (SRs) structured in seven foundational requirements (FRs). Each SR may be reinforced by one or more requirement enhancements (REs) that are selected based on the targeted security levels (SL-Ts), as follows:
- For each SR, verifying that the basic requirement and possible enhancements are met
- For each FR, the SL-A denotes the maximum security level common on all SRs in the FR.
- Each FR makes up a group of security requirements in the same domain:
- FR1 – Identification and Authentication Control
- FR2 – Use Control
- FR3 – System Integrity
- FR4 – Data Confidentiality
- FR5 – Restricted Data Flow
- FR6 – Timely Response to Events
- FR7 – Resource Availability
Thus, the overall SL-A evaluation denotes the maximum common security levels achieved on all FRs.
Evaluation of the SL-A
The Ukraine distribution network had several cybersecurity issues:
- Lack of IT network supervision, which allowed extensive network scans, vulnerability searches, and discovery of the allowed SSH link.
- Lack of strong authentication (2FA) or local (OT) approval of remote connections made it possible to frequently connect from the IT network to the OT network. This went on, undetected, for several months.
- Lack of OT network intrusion detection allowed extensive OT network scans, vulnerability detection.
The following table (From ISA) represents the overall estimation of the seven FRs:
Which SL would have been required to prevent the attack?
Setting the SL-T at level 2 would have been enough to detect and prevent the attack with additional security controls such as strong/local authentication, anti-malware.
To summarize the takeaways of this cyberattack using IEC 62443-3-3 guidance:
- Power distribution utilities should aim for SL-T=2; but should also have several layers of defense, prevention, detection, and time for reactions in anticipation of the most sophisticated attacks.
- It is best to aim for SL-T=3 since state-sponsored actors, normally aim for SL-T=3 or even 4 in their attacks.
- Do not aim for SL-T=2 or 3 on some FRs if the SL-A is still zero on other FRs, as this would likely be useless.
The most important step in cybersecurity is the implementation of best practices for information resources management:
- Properly segment networks
- Ensure logging is enabled on devices
- Limit Remote Access
- Prioritize and patch known vulnerabilities
- Plan and train to incident response plans
- Implement Application whitelisting
- Configure updated rules in the intrusion detection system
Additional information about using YARA signatures can be found in the May/June 2015 ICS-CERT Monitor available at https://ics-cert.us-cert.gov/monitors/ICS-MM201506.
Credits: ISA, US-CERT, SANS, Patrice Bock, with the participation of Jean-Pierre Hauet, Romain Françoise, and Robert Foley