23rd December 2015: an estimated 225,000 Ukrainian residents suffered from a significant blackout, which was later discovered to be the first blackout to be knowingly caused by hackers. Remediation was incredibly difficult, and energy suppliers were left to manually fix damage at impacted sites causing huge disruption across the region.
Following on from my last blog post in January, I wanted to walk through some of the findings in the SANS Analysis. I suspected this was caused due to poor or lacking security practice, and the subsequent investigation has highlighted some important points to consider.
From interviews with the three impacted organisations, the investigatory team quickly concluded the outages were caused by cyber intrusions at three regional electrical power distribution companies.
Some key points of the findings:
Once on the network, the attackers spent more time moving laterally around the network until they discovered the l00t - back office workstations connected with a VPN to the control room networks. The reconnaissance then continued, with the attackers watching and learning how staff controlled the system. The execution then started to wreak havoc, and in an effort to ensure maximum impact the attackers also disabled the back up power supplies to two of the three distribution centres. They then launched a DDoS attack on the organisations call centres to ensure no-one could report these faults.
As a result of the damage, the only way remediation was possible was manually - and even months after the attack, employees must still manually control the breakers at the impacted sites.
It is important to understand how this attack happened in order to implement your own security measures. At a very basic level, all privileged access to ICS systems should be secured by:
If you wanted to see an example of a live attack using freely available tools, which mirrors some of the processes discovered in the SANS report. It can be found on demand here: https://www.brighttalk.com/webcast/9629/185405.