Tuesday, June 13, 2017

Are Blackouts Knocking at the Doors of Substations?

Dear experts interested in secure power delivery systems,
You may have been informed yesterday about one of the latest developments in destroying the power delivery infrastructure: Industroyer.
What is Industroyer? It is "A new threat for industrial control systems" according to Anton Cherepanov (ESET):
"Win32/Industroyer is a sophisticated piece of malware designed to disrupt
the working processes of industrial control systems (ICS), specifically
industrial control systems used in electrical substations.
Those behind the Win32/Industroyer malware have a deep knowledge
and understanding of industrial control systems and, specifically, the
industrial protocols used in electric power systems. Moreover, it seems very
unlikely anyone could write and test such malware without access to the
specialized equipment used in the specific, targeted industrial environment.
Support for four different industrial control protocols, specified in the
standards listed below, has been implemented by the malware authors:
• IEC 60870-5-101 (aka IEC 101)
• IEC 60870-5-104 (aka IEC 104)
• IEC 61850
• OLE for Process Control Data Access (OPC DA)
In addition to all that, the malware authors also wrote a tool that
implements a denial-of-service (DoS) attack against a particular family of
protection relays, ..."

Click HERE for a comprehensive report [pdf].

The Conclusion of the report closes with this statement:

"The commonly-used industrial control protocols used in this malware
were designed decades ago without taking security into consideration.
Therefore, any intrusion into an industrial network with systems using
these protocols should be considered as “game over”."

The protocols used are not the crucial issue! The protocols like IEC 61850 could be protected by the accompanying standard series IEC 62351 (Power systems management and associated information exchange - Data and communications security).
One crucial show stopper is: "Stingy is cool" mentality!!
Securing the systems could be implemented - with far higher costs during development, engineering, configuration, OPERATION, and maintenance.
As long as we all do not accept that the electric power (and other) infrastructures will require a lot more resources to keep the level of today's availability, quality, and security, we will experience more disrupted infrastructures.
Building an infrastructure, operating, and maintaining it are different aspects. The maintenance of our infrastructures will consume definitely more resources than we believe today.
I was shocked to read, that some "friends" believe that the reports about the "Industroyer" are just fake news.
Whatever you believe, one thing is really true: Many systems and devices in the automation domain (substations, ...) are not protected! Believe me!

No comments: