NOTE: At the end of this article is a URL link for a voluntary survey.
Recently, there was news of a new Senate bill to develop a pilot program for the Energy Sector. Dubbed the “Securing Energy Infrastructure Act of 2016” (S. 3018), this bill is to provide for the establishment of a pilot program to identify security vulnerabilities. It would require the Secretary of the Department of Energy to establish a 2-year pilot program to study control system security within the Energy Sector; the pilot program would be funded at $10M for a 2-year study, and $1.5M for establishing a working group (and its findings report).
One may ascertain that the reason for this bill stems from the recent grid outage in Ukraine last December, 2015. DHS ICS-CERT produced a summarized findings report regarding the outage; it outlines that:
On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks, however it is important to note that the role of BE in this event remains unknown pending further technical analysis. Source: DHS ICS-CERT Alert #IR-ALERT-H-16-056-01
Following the account of events DHS ICS-CERT team’s interviews with operations and information technology staff and leadership at six Ukrainian organizations with first-hand experience of the event, had numerous discussions and interviews which assessed that the outages experienced on December 23, 2015, was caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.
Through interviews with impacted entities, DHS learned that the power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power was restored, all impacted Oblenergos operations continued to operate under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not appear to experience any operational impacts.
The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk.
One VERY important discovery to note is that the actors also rendered serial-to-ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server uninterruptable power supplies (UPS) via the UPS remote management interface. DHS assessed that these actions were done in an attempt to interfere with expected restoration efforts.
Each company also reported that they had been infected with BlackEnergy malware however we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.Source: DHS ICS-CERT Alert #IR-ALERT-H-16-056-01
Under Section 3 of the act entitled, “PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE” indicates that no later than 60 days following the enactment of the act, the pilot program will be conducted at one of the national labs in hopes of studying energy service providers who voluntarily participate in the pilot program to assist them in identifying new classes of security vulnerabilities, along with additional research of any selected technology platforms and standards to
isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities, which includes: (a) analog and non-digital control systems; (b) purpose-built control systems; and, (c) physical controls.
Once the pilot program has been completed, a findings report will be created that will: (a) describe the results from the pilot program; (b) provide analysis results of any feasibility of each method evaluated; and, (c) outline results of any evaluations conducted by the working group.
To many, going back to analog-based systems may not: (a) be an option, considering the huge cost involved of retrofitting analog circuitry in lieu of current digital circuitry; (b) may pose regulatory concerns between the energy service providers and the regulators; and, (c) be capable of being performed without sufficient manpower that would need to be available for a practically manual process.
Infracritical is conducting a survey on this very topic of whether or not to use analog or digital equipment for critical operations (with the exception of safety-based systems, which many feel should be analog-only).
The survey may be taken at: https://survey.infracritical.com/limesurvey/index.php/645813
So…what do you think should happen?