Professional Documents
Culture Documents
• The attack was not meant to have any lasting dramatic consequences
• Attackers could do many more things
• Malware does not actively exploit any weaknesses in the ADMS solution
• Appropriate OS updates were issued by Microsoft
• Approved for use on the ADMS platform
• However:
• There is a risk as ADMS communicates with field devices using the affected protocols and it runs on the affected OS
platform, which is vulnerable if unpatched
• Technical analysis to date suggests a wide range of capabilities and we encourage all asset owners to
ensure that they follow the security recommendations included in this document
• IEC 61850
• The malware abuses a targeted ICS system’s legitimate control systems functionality to achieve its
intended effect
• Actively scans and maps the ICS environment using a variety of protocols
• Enumerate switches and circuit breakers with the intent to automatically open/close them in a later attack stage
• Issues valid commands directly to remote terminal units (RTUs) over ICS protocols
• One such command sequence toggles circuit breakers in a rapid open-close-open-close pattern
• Includes a wiper module that renders Microsoft Windows systems inert, requiring a rebuild or backup
restoration
• Denies service to local serial COM ports on windows devices
• Prevents legitimate communications with field equipment over serial from the affected device
source: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
• Traditional methods of detection may not be sufficient to detect infections prior to the malware executing
• Implement behavioral analysis techniques to attempt to identify pre-cursor activity to CrashOverride
• Detect an anomaly in the system’s regular operation using tools like:
– SIEM
– host monitoring
– network monitoring
• There is no set of defensive techniques or programs that will completely avert all attacks
• Layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the
likelihood of detection
• Apply measures given in Seven Steps to Effectively Defend Industrial Control Systems document created
jointly by DHS, FBI and NSA (link)
1. Application whitelisting
• Isolate network
• Deny by default firewalls configuration
• Regular backups
• DR location
• Minimal privileges
• Active Directory
• Kerberos
• RBAC based access control
• Only authenticated users can access to the systems’ functions
• No guest accounts
• Special control for highly privileged accounts
• Strong passwords, password complexity and periodical password change
• Different accounts for different zones
• Session management
• Authentication attempts
• Application failures
• Configuration changes
• …
• Integration with 3rd party Security Information & Event Management (SIEM) tools to analyze logs
• Access control to logs
• Prevent unauthorized logs modification
• …
• Perform regular security-related training and courses to increase security awareness of employees