When reports of a December 23, 2015 Ukrainian power outage linked to a coordinated malware attack first began to surface, I was skeptical. I'd previously written about vulnerabilities inherent in the US electric grid but had cautioned against overstating the risks in public forums that served only to illicit fears of doomsday scenarios involving widespread and extended power outages. My initial thought was that this latest reporting was more of the same. Unfortunately, it pretty quickly became apparent that this time was different.
My colleagues in the SANS ICS team have been all over this event and have written a number of excellent blogs covering the technical details that are currently known. While the specifics of the attack and the role malware played in the outage are still being determined, emerging details are linking the early stages of the attack to a spear phishing campaign that delivered a new variant of the BlackEnergy malware. Truly islanded systems are the exception and most ICS networks have some connectivity to other networks. Even networks isolated under multiple layers of firewalls aren't risk-free and malware can propagate to protected networks through various means.
That's why it is so important that we prevent the initial exposure. Spear phishing continues to be the vector of choice for would be attackers because it just keeps on working and provides pathways that give an attacker the opportunity to invade the network, establish command and control, and map out an attack. Any one of us can fall victim to a spear phishing attack and anyone who says "not me" is fooling themselves. Still there are some things that we can do to reduce the likelihood of falling prey:
- Stop oversharing! Personal and work-related information shared on social media provides a wealth of information for building a campaign. Be selective about what you share and update your security setting to limit the people with ability to view your information.
- Avoid opening attachments or clicking on links in emails you weren't expecting. The boss doesn't normally send you salary information for your entire department - what makes you think he decided to do that today?
- Report any suspected emails to your IT security group for validation.
- Follow your gut — if something seems fishy it probably is. It's better to be safe than sorry.
If you are a leader in your organization, implement a security awareness program that includes phishing training and simulation testing. Getting people knowledgeable enough to be suspicious can go a long way. Also, consider the latest email security technologies that incorporate anti-phishing techniques such as sender policy framework (SPF) that detects email spoofing and URL blocking for known phishing sources. Finally, consider specialized security awareness training for the Utilities, such as SANS STH.Engineer and SANS STH.CIP awareness training.
The SANS ICS team is continuing work to better understand the Ukrainian event and to identify lessons that the ICS community (especially those involved in supporting systems that monitor and control the electric grid) can apply to better protect our systems. The sky is not falling but clearly the threat landscape has changed and this event could be a game changer. For all the latest updates on Ukraine and to participate in other ICS related discussions consider subscribing to the SANS ICS Community at https://lists.sans.org/mailman/listinfo/ics-community
BIO: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. Ted has over twenty-five years of experience working in the electric utility, information technology and manufacturing industries.