Industroyer and Industrial Control Systems
One June 14th the news of a new Cyber Threat made the news and set the Internet a buzz with warnings of gloom and doom. The name of this new threat is Industroyer or Crash Override. Funny piece of trivia here, in the movie Hackers that came out in 1995 starring Jonny Lee Miller and Angelina Jolie, Jonny Lee Miller’s Hacker Name was “Crash Override”. It is an interesting, but out of date movie, but still fun to watch. Anyway, Industroyer is an ICS-specific malware that can be used to target Industrial Control System, including Electric Utilities.
Here are the things that you need to know about this Malware:
- This Malware is extremely sophisticated and communicates directly with Industrial Control System (ICS) devices using native industrial protocols. Because these protocols were developed long before the Internet of Things (IoT) was started, the devices using these protocols were not designed to be connected to networks outside the production facility.
- The malware communicates using ICS protocols IEC101, IEC104, and IEC61850.
- It scans and maps the ICS using the OPC protocol, which is readily accessible from Human Machine Interfaces (HMIs).
- The malware is modular and could easily be evolved to attack any sort of infrastructure or allow remote access to the ICS.
- Industroyer was specifically designed to cause damage via ICS devices. The whole reason for its existence is to shut down whatever Industrial Control System that it can.
So now that you know more about it, the next question is, “How do we stop it”? By the time you read this, I am sure that Symantec and the other Malware Protection companies will have released definition files that will enable your systems to detect and destroy Industroyer. True protection goes deeper than this. The first law of Cyber Security is “Nothing is Secure”. You can reduce the level of risk, but you will never be able to get to a risk level of zero. Here are my steps for protecting your Industrial Control Systems.
- Do not allow a direct connection from your ICS to the Internet. The most secure configuration is an air gap between them.
- Test and load all Security and Virus Updates on the ICS as soon as possible.
- No computer or USB storage device should be connected to your network without scanning it for Malware first.
- Know who is accessing your network.
- Train your people, impress on them that just because something has never happened in the past, does not mean it cannot happen in the future.
When the news broke about Industroyer, I was asked if the Electric Utilities that are customers of ours were safe and protected from this Malware. My first answer to the person asking the question was “No, they are not safe”. This of course caused a level of panic. Under the NERC CIP regulations, there are cyber assets that can be classified as “Transient Cyber Assets”. Improper use of these assets could allow malware such as Industroyer to gain access and attack an ICS. These assets are normally a laptop, desktop, USB storage device, or Vendor Computer that is not normally connected to the Control Network. Before one of these Transient Cyber Assets is connected to the network, they are required to be scanned for Malware. If the regulations for these assets are followed, your ICS should be secure. However, it only takes one person that is in a hurry or doesn’t care to cause ICS to become infected.
A Hacker only has to be right once; in Cyber Security, we must strive to be right EVERY time. This means educating ourselves and those around us to the cyber dangers that are out there.