I was at Black Hat 2017 last week and was impressed with the Industroyer /Crashoverride: Zero Things Cool About a Threat Targeting the Power Grid presentation by ESET and Dragos Security. The teams outlined well how the attack was executed. One of the big takeaways was that attackers did not exploit a vulnerability or zero day to bring down Ukrainian power. Robert Lee from Dragos Security put it well when he said that the attackers took the time to codify the process on which the plant is run. They exposed security by obscurity as a weak security control by becoming sufficiently expert in bulk electric systems.
This is a chilling. Crashoverride is scary enough because it is a highly sophisticated, modular piece of malware seemingly built to take on grids across Europe. According to Dragos, it could have a broader reach with only a day’s worth of modification to adapt it to the U.S. grid. These are significant developments, but the fact that there is nothing to patch to prevent future attacks means the process itself is in an odd way the real vulnerability. How do you remediate the process?
The insider threat has been a threat for decades. A determined insider can certainly do damage armed with tribal knowledge and ill will. Now, that insider knowledge is in the wild and outsiders have shown they can cause similar outcomes. If bulk electric power is susceptible, what about oil & gas, chemical, and other critical infrastructure industries? Are they the next target for process codification attacks?