Researchers at security company ESET have discovered malware that could have done exactly what happened to Ukraine's power grid in December 2016, when the capital Kiev was deprived of power for an hour.
ESET has named the malware Industroyer but cautions that there is no confirmation that it was really used in the attack. Despite this, some journalists have jumped the gun and concluded that Industroyer was behind the Ukraine outage.
The Ukraine incident occurred on 17 December. A previous attack in 2015, also in December, knocked out the power in about 250,000 houses in various regions of Ukraine.
The researchers said the malware was capable of controlling electricity substation switchers and circuit breakers directly, using global industrial communications protocols which are use ed in critical infrastructure systems.
{loadposition sam08}"These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions," the ESET researchers wrote.
"Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services."
They said Industroyer used protocols as they were meant to be used in an era when industrial systems were meant to be separated from the outside world and without security in mind. "That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols," ESET said.
Industroyer uses a backdoor to manage the attack; after it is installed, it controls the other components of the malware and it then connects to a control server both to report and receive instructions.
Its four payloads can gain direct control of switches and circuit breakers at an electricity distribution substation.
The ESET team said that because of its ability to persist in the system and provide information for tuning the configurable payloads, attackers could adapt the malware to any environment, which made it extremely dangerous.
Commenting on the malware, John Chirhart, federal technical director at security firm Tenable, said: "With all of the buzz around Industroyer being 'the next Stuxnet', you’d think it was one of the most sophisticated threats out there, but with no zero-days in the Industroyer payload, the significance of this malware as a stand-alone event is small.
"Security for critical infrastructure assets like industrial control systems is important, but we need to remember that malware like Industroyer, or WannaCry, represent the new normal of today’s fast-paced security environment and require a different approach. There’s no way to be strategic about your security if you’re always reacting to the threat of the day."
Chirhart said as cloud and the IoT blurred the distinction between operational technology like ICS/SCADA and information technology like laptops and mobile devices, "most security vendors have failed to innovate at the rate of change, so the convergence of modern IT and OT computing assets is leaving customers struggling to discover and secure all of the devices on their networks".
"Single use 'best-of-breed' security products are no longer enough. CISOs need a unified view from a single platform that can draw on active, passive and agent scanning to see everything from containers to MRI machines. Stop chasing the latest headline-breaking threat and instead, implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise. That’s what separates a world-class cyber organisation from a mediocre one.”