ukraine cyber-induced power outage: analysis and practical...
TRANSCRIPT
![Page 1: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/1.jpg)
Copyright © SEL 2016
Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation
Strategies
David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith
Schweitzer Engineering Laboratories, Inc.
![Page 2: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/2.jpg)
• Targeted more than 50 substations• Left 225,000 customers without power for up to 6 hours
Cyber Attack on the Ukrainian Power GridDecember 23, 2015
KyivPrykarpattia
Chernivtsi
![Page 3: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/3.jpg)
Ukraine Distribution Cyber System Overview
Control Center Substation
Overcurrent Relay
Call Center
Backup UPSs
Corporate Network
HMI
HMI
Port ServerRadio
SCADA Network
![Page 4: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/4.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Opening an attachment with a macro installs BlackEnergy3
Stage 1: Spear Phishing – March 2015
![Page 5: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/5.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Malware provides initial backdoor access
Stage 2: Access Corporate Network
![Page 6: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/6.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Active Directory®
credentials obtained
Stage 3: Theft of User Credentials
![Page 7: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/7.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Encrypted tunnel to the control center networks
Stage 4: Create Encrypted Tunnels
![Page 8: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/8.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Accessed HMI computers in control center
Stage 5: Gain Access to HMIs
![Page 9: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/9.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
HMI used to manually open breakers
Stage 6: Manipulate Circuit Breakers Attack Occurs on Dec 23 2015 @ 3:30 PM
![Page 10: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/10.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Attacked call centers
• Switched off UPSs
• Corrupted RTU HMI firmware
• Corrupted port server firmware
Stage 7: Additional Attack Actions
![Page 11: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/11.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Used KillDisk malware to corrupt hard drives
Stage 8: Destroy Hard Drives
![Page 12: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/12.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
System operated manually
Power Restored Within Six Hours!
![Page 13: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/13.jpg)
• Still replacing corrupted equipment• Enhancing network security • According to ICS-CERT Adversary most likely still present
Other sectors are probably vulnerable
SCADA Systems Are Still Operating in a Degraded State
![Page 14: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/14.jpg)
• Identify risk• Create a defense-in-depth
model • Implementing effective
controls
Creating a Robust Control System Architecture
Level 5: Perimeter
Level 4: SCADA
Level 3: Access
Level 2: Automation
Level 1: Protection
Level 0: Physical
Enterprise Network
DIGITAL
ANALOG
IT
OT
H2M
M2M
Leve
l 6: P
eopl
e
![Page 15: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/15.jpg)
Level 5: Perimeter
Level 4: SCADA
Level 3: Access
Level 2: Automation
Level 1: Protection
Level 0: Physical52
Level 6: People
Firewall/VPN
TDM
Switch
HMI PC
PLCSwitch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
• Typically no digital communication
• Limit physical access
Level 0: Physical – Measures and Operates
![Page 16: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/16.jpg)
• Limit direct user interaction
• Monitor internal diagnostics
• Monitor alarms
Level 1: Protection – Isolates and Clears Faults
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 17: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/17.jpg)
• Continuously monitor Settings
Firmware configurations
• Collect and aggregate alarms
Level 2: Automation – Protection and Control
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 18: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/18.jpg)
Separate, restrict, and filter H2M from M2M Authorization
Authentication
Accountability
Level 3: Access – Segregates H2M From M2M
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 19: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/19.jpg)
• Integrate traditional IT controls
• Monitor networks with IDS/IPS/NAC
Level 4: SCADA – Interfaces With Control System
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 20: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/20.jpg)
• Implement multifactor authentication
• Segment network
Level 5: Perimeter – Isolates Control System
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
NEVER connect your ICS to the Internet!
![Page 21: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/21.jpg)
• Apply least privilege
• Create awareness
• Develop and exercise contingency plans
Level 6: People – Policies, Procedures, Training
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 22: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/22.jpg)
Control Center Substation
Overcurrent Relay
Call Center
Backup UPSs
Corporate Network
HMI
HMI
Port ServerRadio
SCADA Network
Comparing Ukraine System and Security Model
Level
Level
Level
Level
Level
Level
52
Leve
l
Firewall/VPN
TDM
Switch
HMI
PC
PLC
Switch
Relay
Serial Radio
Relay
Port Server
Meter
Firewall
![Page 23: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/23.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Training• Email security
controls Remove
attachments
Scan attachments
Stage 1: Spear Phishing
![Page 24: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/24.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
Stage 2: Access Corporate Network
• Antivirus• IDS/IPS/NAC• Host-based
firewalls
![Page 25: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/25.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• User least privilege
• Password rotation
• Strong credentials
• IDS
• Syslogs
Stage 3: Theft of User Credentials
![Page 26: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/26.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Granular VPN rules
• Multifactor authentication
• Monitoring
Stage 4: Create Encrypted Tunnels
![Page 27: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/27.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network• Network
segmentation• Strong firewall
rules• User least
privilege
Stage 5: Gain Access to HMIs
![Page 28: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/28.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Strong authentication
• Quick isolation• Incident planning
Stage 6: Manipulate Circuit Breakers
![Page 29: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/29.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Firmware validation
• Hardware backups
• Data backups• Recovery
procedures
Stage 7: Additional Attack Actions
![Page 30: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/30.jpg)
Control Center Substation
Encrypted Tunnel
Overcurrent Relay
Call Center
Backup UPSs
Malicious Actor(s)
Corporate Network
Malicious Actor(s) Malicious Actor(s)
HMI
HMI
Port ServerRadio
SCADA Network
• Antivirus• Hardware
backups• Data backups
Stage 8: Destroy Hard Drives
![Page 31: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/31.jpg)
• Unfortunate event that disrupted numerous households• No single security or network deficiency allowed
malicious actors to achieve their objective• Determined malicious actors can exploit a system that
is not based on defense-in-depth design principles
Ukraine Incident Summary
![Page 32: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/32.jpg)
• Use a layered security approach• Proper cybersecurity includes people, hardware,
software, policies, and procedures• Ukraine incident encourage all of us to reevaluate our
security measures protecting our cyber-based assets
Conclusions
![Page 33: Ukraine Cyber-Induced Power Outage: Analysis and Practical …prorelay.tamu.edu/wp-content/.../1-UkraineCyber_6774_DW_3113_20… · 01-04-2017 · • Targeted more than 50 substations](https://reader033.vdocuments.site/reader033/viewer/2022050410/5f876e4437145123702e783e/html5/thumbnails/33.jpg)
Questions