CrashOverride - ADMS protection

Confidential Property of Schneider Electric

WEF Global Risks Landscape 2017

Confidential Property of Schneider Electric | Page 2

Emerging Threats to Cyber-Physical Systems

source: Enisa, Threat Landscape Report January 2016

Confidential Property of Schneider Electric | Page 3
Ukraine Power Grid Cyber-attack

• Cyber-attack on Kiev, Ukraine transmission substations on December 17th 2016

• It was part of series of malicious hacks that have recently targeted key Ukrainian infrastructure, including the country's
rail system server, several government ministries, and a national pension fund

• Result was a power outage that left customers without electricity

• Lasted for about an hour, parts of Kiev were subjected to total darkness

• The attack was not meant to have any lasting dramatic consequences
• Attackers could do many more things

• It was more like a demonstration of capabilities

• Attack was performed using CrashOverride malware platform

Confidential Property of Schneider Electric | Page 4

Risk to ADMS

• Malware does not actively exploit any weaknesses in the ADMS solution
• Appropriate OS updates were issued by Microsoft
• Approved for use on the ADMS platform

• However:
• There is a risk as ADMS communicates with field devices using the affected protocols and it runs on the affected OS
platform, which is vulnerable if unpatched

• Technical analysis to date suggests a wide range of capabilities and we encourage all asset owners to
ensure that they follow the security recommendations included in this document

Confidential Property of Schneider Electric | Page 5

CrashOverride (Win32/Industroyer)

• Represents a scalable, capable malware platform

• The modules and capabilities publically reported appear to focus on organizations using ICS protocols:
• IEC 60870-5-101 (IEC 101)

• IEC 60870-5-104 (IEC 104)

• IEC 61850

• OLE for Process Control Data Access (OPC DA)

• The malware abuses a targeted ICS system’s legitimate control systems functionality to achieve its
intended effect

Confidential Property of Schneider Electric | Page 6

Malware Capabilities

• Actively scans and maps the ICS environment using a variety of protocols
• Enumerate switches and circuit breakers with the intent to automatically open/close them in a later attack stage

• Issues valid commands directly to remote terminal units (RTUs) over ICS protocols
• One such command sequence toggles circuit breakers in a rapid open-close-open-close pattern

• Includes a wiper module that renders Microsoft Windows systems inert, requiring a rebuild or backup
restoration
• Denies service to local serial COM ports on windows devices
• Prevents legitimate communications with field equipment over serial from the affected device

• Might exploit Siemens relay denial-of-service (DoS) vulnerability

• Leads to a shutdown of the relay

Confidential Property of Schneider Electric | Page 7

Simplified Components

source: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Confidential Property of Schneider Electric | Page 8

Detection

• Traditional methods of detection may not be sufficient to detect infections prior to the malware executing
• Implement behavioral analysis techniques to attempt to identify pre-cursor activity to CrashOverride
• Detect an anomaly in the system’s regular operation using tools like:
– SIEM

– host monitoring

– network monitoring

Confidential Property of Schneider Electric | Page 9

Impact

• Disruption to regular operations

• Might be leveraged to carry out attacks similar to the attack on DSOs in the Ukraine, but on a higher scale via automated
command execution

• Temporary or permanent loss of sensitive or proprietary information

• Financial losses incurred to restore systems and files
• Potential harm to an organization’s reputation

Confidential Property of Schneider Electric | Page 10

Mitigation and Recommendation Solution

• There is no set of defensive techniques or programs that will completely avert all attacks
• Layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the
likelihood of detection
• Apply measures given in Seven Steps to Effectively Defend Industrial Control Systems document created
jointly by DHS, FBI and NSA (link)
1. Application whitelisting

2. Ensure proper configuration/patch management

3. Reduce attack surface area

4. Build a defendable environment

5. Manage authentication and authorization

6. Implement secure remote access

7. Monitor and respond

Confidential Property of Schneider Electric | Page 11
Implementation of Seven Measures in ADMS
1. Application Whitelisting

• Antivirus and integrity check tools

• Removal of unneeded applications and services
• Microsoft Software Restriction Policy
• Integration with 3rd party application whitelisting tools

Confidential Property of Schneider Electric | Page 12

Implementation of Seven Measures in ADMS
2. Ensure Proper Configuration/Patch Management

• Proper configuration/patch management procedures

• Special management (sub)network
• Configuration/patch update is possible only from specific hosts
• Multiple testing before applying changes to the production environment

Confidential Property of Schneider Electric | Page 13

Implementation of Seven Measures in ADMS
3. Reduce Attack Surface Area

• Isolate network
• Deny by default firewalls configuration
• Regular backups
• DR location

Confidential Property of Schneider Electric | Page 14

Implementation of Seven Measures in ADMS
4. Build a Defendable Environment

• Electronic security perimeter

• Network segmentation to zones
• Firewalls between zones
• Network access control
• Intrusion detection system
• Redundant components

Confidential Property of Schneider Electric | Page 15

Implementation of Seven Measures in ADMS
5. Manage Authentication and Authorization

• Minimal privileges
• Active Directory
• Kerberos
• RBAC based access control
• Only authenticated users can access to the systems’ functions
• No guest accounts
• Special control for highly privileged accounts
• Strong passwords, password complexity and periodical password change
• Different accounts for different zones
• Session management

Confidential Property of Schneider Electric | Page 16

Implementation of Seven Measures in ADMS
6. Implement Secure Remote Access

• Special credentials for remote access

• Limited access
• Secured (encrypted) communication
• VPN

Confidential Property of Schneider Electric | Page 17

Implementation of Seven Measures in ADMS
7. Monitor and Respond

• Log all security related information

• Network traffic

• Authentication attempts

• Applications start-up and shutdown

• Application failures

• Configuration changes

• Request and server responses

• …

• Integration with 3rd party Security Information & Event Management (SIEM) tools to analyze logs
• Access control to logs
• Prevent unauthorized logs modification

Confidential Property of Schneider Electric | Page 18

But… Awareness is of Utmost Importance

• Many breaches were initiated by human negligence

• Opening malicious mails

• Running malicious applications

• Accessing infected sites

• …

• Perform regular security-related training and courses to increase security awareness of employees

Confidential Property of Schneider Electric | Page 19

Useful Links on CrashOverride Malware

• US-CERT - Alert on CrashOverride

• https://www.us-cert.gov/ncas/alerts/TA17-163A

• ESET – Industroyer: A New Threat for Industrial Control Systems

• https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

• DRAGOS – CrashOverride: Analysis of the Threat to Electric Grid Operations

• https://www.dragos.com/blog/crashoverride/CrashOverride-01.pdf

Confidential Property of Schneider Electric | Page 20