FBI, DHS Debrief on Ukraine Grid Cyber Attack - 5 Things to Know

April 15, 2016

**FBI and Dept. of Homeland Security (DHS) touring U.S.
**Briefing follows 3-month investigation of cyber attacks on Ukraine power grid
**What it means for all industries relying on control systems

The FBI and DHS have taken an unprecedented step by conducting closed door, unclassified briefings in multiple cities around the U.S. about the attacks on the Ukraine power grid. This may be one of the more important briefings industry executives, senior operations managers and cyber security experts should attend this month (learn more at DHS). If you are unable to attend, this update provides senior leaders five key take aways and suggested actions.

As MSi was one of the first to report this January, a portion of the Ukraine power grid was taken off-line from a sustained cyber attack in late December 2015. Attackers compromised three different power companies, took command of their key control systems and took 50 substations off-line impacting over 225,000 customers. The power companies are still struggling months later to resume normal operations.

5 Things To Know: According to DHS and the FBI:

1. The Ukraine may seem like a far away place. The FBI and DHS are making it clear this could happen in the U.S.

2. While the attacks were sophisticated and well executed, the investigation reveals the campaign did not require state actor level of sophistication and it appears attackers only had moderate production control network knowledge. Attribution was not a focus of the briefings. Many open source attack tools are available on the Internet and attackers used legitimate (yet stolen) credentials. MSi believes carrying out this kind of attack ranks a 6 on a difficulty and capabilities scale of 1-10 (10 being most difficult and highest capabilities.)

3. Victim companies had various security systems, equipment, control and safety systems in place that are common in many western countries. These systems did not detect or stop the attack. What saved the day is the Ukraine relies far less on automated control for recovery and deployed manual recovery crews to affected sites to reset the breakers.

4. As a result of 1, 2 and 3, this kind of attack is not isolated to utilities. All companies relying on control systems connected to key equipment and networked (even if behind firewalls and segmented networks) could be compromised and cause operational loss and physical damage.

5. The attackers studied their targets for months and are believed to have gained access via email phishing (could not be definitely corroborated). Once inside the network, the attackers:

• remotely stole credentials from authorized users
• took command of the control systems (HMI)
• locked operators out of the systems
• remotely took 50 substations off-line within minutes by opening protective relays turning off power to the grid
• wiped clean many of the control system computers
• re-flashed firmware on the controllers
• corrupted firmware on serial to ethernet converters in the substations requiring full replacement of devices, and
• launched a denial of service attack against victim phone systems to hamper response and recovery.

The attacks began at 2:30 PM and were effectively over by 6:00 PM at three separate companies.

The last phases of the attack, including changing passwords on HMI servers, corrupting firmware of the converters, re-flashing firmware on controllers and routers and wiping drives from target systems using KillDisk have hindered recovery keeping victim companies operating in constrained conditions for the past several months.

The Ukraine may seem far away, but it is a member of NATO. Control, security and safety systems used in the Ukraine rely on the same devices, computers firmware and software as the U.S.

Attackers followed a typical IT and ICS kill chain approach going through the enterprise network into the production control network and all the way down to level 0 to do physical damage.

DHS has made a number of recommendations to mitigate this kind of attack:

• Contingency planning for when the ICS is operating AGAINST safe operation
• Limiting remote access
• Network and credential monitoring (in both enterprise and production control networks)
• Multi factor authentication
• Firmware driver signing
• Network architecture documentation and planning
• Application whitelisting
• Backdoor detection and alerting and
• Contingency planning for denial of service.

Mission Secure adds:

• An in-depth vulnerability assessment, security architecture review and PEN testing of your enterprise network to assess the ability of an adversary to gain access to your control network

• An in-depth assessment of the key assets in your production control networks, determining what an attacker would and could attack and remediation recommendations

• Implement a system to monitor critical control system elements and production processes, notify operators of an attack, collect key data for post attack forensic analysis and take corrective action during an attack - an MSi Secure Sentinel.