Defending the Grid Against Cyber Sabotage
- October 12, 2018
- 482 views
Threats to utility networks have never been greater than they are today.
Between the rise in state-sponsored intrusions of the US power grid, which the Department of Homeland Security has been warning about for some time, and an increase in highly sophisticated malware capable of hijacking key equipment inside supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS), the potential risks are now very high.
In recent years, DHS has issued multiple advisories on Russian-backed efforts to breach electric utility control rooms, including attacks that jump the air gap. It has also been alerting utilities to ongoing malware and intrusion campaigns by countries like Iran and North Korea. Malware infections at utilities have been increasing, and although these have mostly been limited to the front-office networks, advanced malware will use that as the starting point to spread into the ICS. Serious and critical vulnerabilities are now regularly announced for ICS devices and equipment.
What this all adds up to is a growing threatscape for utilities, largely fueled by geopolitics.
As more nation-states adversarial to US interests, including Russia, China, Iran, and North Korea, invest in cyber offensive capabilities, electric utilities are increasingly finding themselves on the front line of cyber espionage and warfare.
At the same time the threat is increasing for utilities, their security posture has remained largely static and insufficient. Utilities have continued to rely upon detection-based security models (antivirus, firewalls, intrusion detection systems, etc.), which are susceptible to workarounds by advanced methods of attack and are often unable to combat an attacker once he or she gets inside the network. Vulnerabilities are also widespread within the firmware of common ICS equipment, so any successful breach by a hacker could have dramatic consequences. In many cases, these vulnerabilities are publicly known and documented for years before a utility is able to address them, making it relatively cheap and easy for a sophisticated hacker to exploit them. The ICS environment is also difficult and time-consuming to patch, further complicating matters.
DARPA has been involved in a new effort to build greater resiliency into the US power grid, so that utilities can restart operations immediately following a catastrophic cyber attack. Known as the RADICS program (Rapid Attack Detection, Isolation and Characterization Systems), the goal of this experimental program is to “enable black start recovery of the power grid amidst a cyber-attack on the U.S. energy sector’s critical infrastructure.”
But there is also another effort underway.
A new technology is able to “immunize” embedded devices at the firmware level in order to make the devices invulnerable to hijacking. This technology is plotting a new course for utilities, creating a robust last line of defense capable of killing off attacks at their most crucial stage. By deploying this new defensive technology, known as “Symbiote Defense,” a hacker could breach a utility network, ship malware to critical devices like RTUs, but be thwarted at the very last stage of the attack because the RTU would be unable to comply with the hacker’s malicious command.
This would enable utilities to block the most serious attacks they might face: operational disruptions and equipment damage.
What makes a cyber sabotage attack possible is the inherent insecurity of ICS equipment.
Firmware-level vulnerabilities are common in the ICS environment. Through our research, we discovered hundreds of n-days, ranging from low to high severity (CVSS severity score of 7/10 or higher), within the ICS firmware of leading device manufacturers. Some of the n-days we found were over two years old.
Vulnerable ICS equipment is a significant risk for the utility, as an attacker could exploit this weakness (by using malware, remote shells, malicious firmware updates, or other methods) to take control of the device. For example, the Crash Override malware which triggered a widespread power outage in Ukraine in 2016 exploited a denial-of-service vulnerability (CVE-2015-5374) in Siemens SIPROTEC relays. Another malware used in the same attack, known as BlackEnergy, also exploited specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY and Advantech WebAccess.
Other types of malware have been used in real-world attacks on industrial control systems, ranging from nuclear plants to oil and gas facilities. They include Triton, Havex, BlackEnergy and Stuxnet. In fact, hackers used the Triton malware in 2017 in an attempt to trigger an explosion at a petrochemical facility in Saudi Arabia.
ICS Vulnerabilities Pose Unique Challenges
These same ICS vulnerabilities can also be difficult for the utility to mitigate. Utilities operators face several obstacles to maintaining adequate security standards within the critical ICS environment:
-- ICS systems must always be available.
-- Each utility often has its own configuration with little standardization across the industry. This means that patches must be done manually and through a proprietary process, which differs for each utility. This makes fast, sector-wide patches difficult to carry out.
-- ICS products are used in multiple industries, and a security alert in one sector does not necessarily result in an issued patch in the utility sector.
-- ICS systems and devices are often deployed for a decade or more, and may exceed their initial support period. Vendors may also be disincentivized from continuing to support older products in order to encourage customers to buy new products.
Changing the Security Approach
Due to the pervasive insecurity of devices in the ICS environment, it is necessary for utilities operators to go beyond air-gaps and obsolete network-based detectors.
What is needed most of all, particularly in light of new developments in advanced malware techniques, is a line of defense in every embedded controller: a device-based immunity system which can prevent malicious commands from ever being executed at the local device level (ex: RTUs), even if all other elements of the utility’s cybersecurity program have failed.
To achieve this type of independent, device-based defense, a special cybersecurity technology must be injected directly into the device’s firmware that will constantly ensure the integrity of its code. This is the only effective way to keep all authorized software running on the system and prevent unauthorized code or commands from executing. By ensuring code integrity, the firmware is unable to execute commands (like “open all circuit breakers on an infinite loop,” as in the Ukraine outage) which run contrary to the device’s normal and intended operations. Therefore, even if the device is infected with malware or remote accessed by a hacker, the attacker won’t be able to actually sabotage it. The locally based defense will kick off the attack right at the most crucial moment.
The US government has funded the research and development of just this type of technology called Symbiote Defense. This new methodology is highly significant for utilities. Because the attacker’s tools and techniques are constantly changing and evolving, standard network-based detectors will regularly struggle to keep up — and doing so will require frequent software updates. But the ICS environment is a difficult environment in which to run regular, or even infrequent, updates. This is especially true for air-gapped equipment. However, with Symbiote’s device-based code integrity defense, utility operators can enable constant real-time assurance of the critical endpoints in the ICS environment, and they do not have to worry about software updates. Symbiote is injected once into the device and remains effective until the device’s end of life, without any need for software updates. This also makes it an effective security tool for legacy equipment and older networks.
More specifics on the Symbiote technology:
- Continuously ensures that the code and data of the host device is untampered and never modified without permission.
- Starts protecting the host the instant the host is turned on, and will detect any unauthorized attempts to modify the firmware’s code or data within a fraction of a second, regardless of whether the device is in sleep mode or busy servicing requests.
- Offers real-time, continuous integrity attestation, rather than just load-time integrity verification.
- Does not require modifications to the source code of the device, or additional hardware resources.
- Does not affect the functionality, performance or speed of the device it is protecting.
- Legacy/active device populations can be updated using pre-existing vendor OTA firmware update processes.
By deploying this technology within all of the core components of the SCADA or ICS system, utility operators can ensure that cyber sabotage attacks will be prevented.
Given the evolving nature of cyber threats to electric utilities, it is essential for operators to establish a robust layered defense which is able to counter these attacks at multiple stages: from initial breach prevention to post-breach containment and, as a last resort, anti-sabotage defense at the local ICS device level. Sophisticated hacking groups are emerging across the spectrum, including nation-states, terrorist groups, hacktivists and organized crime. We have reached a point where many tools, exploits and malware kits already exist that are capable of targeting a utility’s network. Utilities must do all they can now to anticipate these advanced persistent threats in the coming years.