31: Black Energy

their credentials. How the hackers got the right credentials? Each company segregated their control network from their corporate network using a firewall. So the hackers spent months incrementally infecting more machines on the corporate side with a variety of different exploits until they were able to get access to the active

directory controller. Once in the AD controller they had access to the domain credentials, they obtained credentials for control systems engineers with remote access privileges and were able to access the control network at will without detection. They compromised a total of 17 operator work stations

across the organization's. They installed a variety of back doors including GCat, DropBear and Kryptik, to ensure that there were multiple paths available to get in, should one of them be discovered.

So how they set up the outage itself, now that they're in? First of all the control room UPS's. All the control centers in the Ukraine as is standard practice worldwide, are fully backed up with uninterruptible power supplies, such that if the grid power goes out the control room will remain powered and functional. The same applies to the dial-in call centers. In the first step the hackers took out 2 of the 3 UPS's such that when the power was turned off to their own power grids those control

rooms would also be blacked out. Then they disabled remote SCADA commands. Serial to Ethernet converters are used for address translation between the SCADA system and the high-voltage circuit breakers and that was remotely upgraded to an invalid firmware revision, awaiting a remote reboot request, after which the device, being unable to boot because the firmware was invalid, was effectively bricked and completely

inoperable. The 2 devices that they targeted were the MOXA UC7408 LX-plus: that is a Universal Communicator with an IXP425. It has 8 configurable RS-232, -422 or -485 ports, 8 Digital Ins, 8 Digital Outs, and a dual LAN. Importantly it's running an embedded Linux version. MOXA is a company based in Taiwan and they make a large number of industrial communications products. There is scarcely a plant that I've worked on, that does not have something made by MOXA, somewhere in it.

The 2nd device was an iRZ RUH2 3G. This is a 3G router, industrially hardened. It supports dual SIM cards and 10/100 Ethernet and again runs an embedded Linux version. iRZ is a company based in Russia. So whilst they are popular in Europe, outside of Europe they are rarely found.

By disabling these with these firmware hacks, this meant that any recovery of SCADA workstations would be ineffective because there would be no communication converter between SCADA and the circuit breakers for remote operation or monitoring. Essentially they were cutting off the intermediary and severing that

link. Disabling the SCADA workstations. KillDisk on the operator workstations will overwrite the MBR (that's the Master Boot Record) as well as key system files rendering the computer inoperable and unable to reboot to recover. Effectively disabling the SCADA operator workstations completely. For several machines KillDisk was manually triggered, by whereas for others there was a time trigger delay to launch at about 5:00pm, an hour and a half into the start of the attacks.

Finally they disabled an RTU on an embedded PC. An ABB RTU560 CMU-02 is a chassis mounted daughter card that runs an embedded Windows CE. One of these, and only one was discovered also corrupted by KillDisk. There been

many suggestions as to how this could have been prevented, but before we talk about that a few things that wouldn't have stopped it. Application whitelisting, for example at the firewall would not have changed the outcome. Non-obvious passwords were actually used so that was not a case of having weak passwords that were easily guessed. They weren't. Significant logging did actually exist, and firewalls existed. Adding more firewalls would not have

changed the outcome. Before we talk about what could have been done to prevent this, let's look at the fallout from the incident. In total about 73MWh

of electricity was not supplied during the blackout period. That represents a somewhat insignificant amount, representing a mere 0.015% of the Ukraine's daily electricity consumption. Fractionally speaking that's 1/6,600th of their total daily supply. There were no documented economic impacts, health or medical complications or spoilage losses as a result of this

blackout incident. The Obelnergos themselves however, they were more heavily impacted in terms of cost to rectify the mess left behind by the hackers. It took months to rebuild the destroyed work stations due to a lack of regular backups. It took months to replace Serial to Ethernet converters due to a lack of spare parts and a lack of backups with the MOXA and IRZ units completely unrecoverable, requiring physical replacement and complete

reprogramming from scratch. During the rebuilding time the system was mostly run manually, with a significantly increased staff presence on the ground at substations. The additional costs of this rebuilding have not been publicly released although parts and labor for the engineering rebuild were likely to be at least a $1/4M USD

in parts and labor. Whilst StuxNet demonstrated that hacking by well-funded and highly motivated hackers could physically damage equipment connected to a control system, interruption of a power grid on a scale like this had never been seen before. The Ukrainian companies were well practiced in manual override controls and given their staffing structure and training they were able to restore power and run the system manually very quickly and for several weeks until the remote control

infrastructure could be fixed. Other countries around the world have been progressively relying more and more on control systems infrastructure to operate their facilities remotely to reduce operating costs. In many cases local controls are also being sacrificed entirely to save on manufacturing and ongoing maintenance costs. In such cases an attack like this one would have been far more devastating.

Without sufficient manual override control or without enough trained personnel to operate substations manually the outage could have lasted for days, or even a week in some countries around the world. The ramifications of Black Energy have actually been a strengthening of the application of cybersecurity defense-in-depth architectures in utilities around the

world. Driving a huge spike in investment in software for monitoring logs, detecting abnormal network communication and the identification of data traffic specifically between SCADA systems and equipment controllers. Four months ago in mid-2019 the SEIA bill or Secure Energy Infrastructure Act in the United States passed through the Senate.

It mandates sufficient manual controls to ensure manual control overrides and procedures exist to operate the electrical grid infrastructure in the event of a failure or a compromise of automated control systems. The Act attempts to counter the growing trend of cost reduction by removing full manual controls in favor of automation and to mandate that those controls must be installed, inspired in large by the Ukraine attack in 2015. So what lessons

have we learned from this? Social targeting is a big problem that a lot of people don't appreciate. When I used to work at Nortel Networks in the late 1990s organizational charts (or Org Charts) were relabeled as "Commercial in Confidence" documents because there had been several incidents of targeted poaching attempts from other Tech companies. In essence it was a map to the structure internally and those wishing to poach people would know straight who

to speak to. Today social media and the over-sharing of information has made it difficult for companies to protect this sort of information let alone from poaching attempts but from hackers as well, and today companies like LinkedIn make it incredibly easy for a hacker to craft a highly targeted phishing or spear-phishing Email to exactly the right group of people they need to get

access. As previously mentioned spear-phishing campaigns or attacks are the first volley from those trying to penetrate a network and they're becoming harder to detect and block, and are becoming far more frequent. If I'm a hacker and I want to disrupt a company that runs industrial equipment like electricity generation or electricity supply, Oil & Gas, mining, water supplies even hospitals. Many employ control systems engineers like me to maintain and support their control system

infrastructure. If I post that I'm a control systems engineer on LinkedIn, I'm working for the target company someone wants to disrupt, they then draw up a short list. Sometimes people over share the projects

that they've worked on. Perhaps they've worked on a safety system for an explosives plant, which might make it easier to target those people specifically in a spear-phishing attack, since those people are the most likely to have credentials that have access to those safety systems you're trying to

disrupt. From a shortlist constructed from LinkedIn it stands to reason that I would know other control systems engineers also working at the same company so now they're able to send an Email to me that at first glance appears to come from one of my co-workers someone that I know but has a malicious attachment that I'm less

suspicious of. So I open it unsuspectingly then they have access to my machine, and you might think LinkedIn restricts access to my list of connections if I select that, and if you're not a connection of mine then that's true (certainly the way I've got it set) but all it takes is for someone to pose as a recruitment consultant, a headhunter, an agent, and if you're in the market for a new job even if you're strict about only connecting with people that you've personally met, you might

just accept one or two requests like that and if one is malicious then they have everything they need with all of your connections to find who to target. The hackers know that the control systems engineers have elevated privileges in the control system and might even have remote access rights as well if that exists, so once they've got on to my machine a key logger lays-in-wait for me to log into remote access gateway to the control network and then they have my credentials and it's open season.

If that access portal is internet exposed they can get in and out anytime they want and if no one is cross-checking when I'm logging in and when I'm not, and if there's no other mechanism like Multi-Factor Authentication then it's an open door and they can poke and prod and look for weaknesses from within the system to the extent my credentials let

them. In the case of Black Energy the original attack wasn't quite as targeted but ultimately they still achieved their goal by gaining access to the domain controller, it just took a little longer. But undetected they could take as long as they liked. There have been a lot of reports digging into the incident and many lessons can be learned from it. ISA or IEC 62443-3-3 lists 51 system requirements that are recommended to improve resilience to cyber intrusion in Operational

Technology (or OT) systems. An International Society of Automation (or ISA) report highlighted 7 significant SR breaches in this incident which I'll cover only three of them that I consider key. 2.4: The transfer of malware between systems on the OT network clearly demonstrated that there were no substantial controls restricting file transfer throughout the control system network. It's common practice to have a so-called secure gateway for all file access between machines on an OT network.

That gateway or Dropbox is heavily scanned and logged and reviewed regularly. All other file transfer pathways are then restricted or disabled completely making it significantly harder to spread malware through the OT system if you do get in. People complain (that use the system every day) it's hard to get data in or out of the system without that additional intermediate step, but it does stop the hackers from easily cross-infecting machines on the

network. Point 5: Whilst a firewall existed lacking sufficient additional controls it was rendered mostly ineffective. The essence of this comment: for a firewall to be useful there also has to be strong authentication. Also detection via an automated or manual log review method of some kind would have uncovered the hackers activity quite easily. Item 6.2: Lack of overall network

monitoring. Without any monitoring tools the attackers could surveil the network extensively completely undetected for weeks and in this case, months. So what do we conclude from

all of this? If you're working with critical infrastructure and there are remote access pathways to your control system infrastructure then be warned, you are or will be (someday) a target. If you're part of an IT or OT department, make sure you have a centralized log collection and analysis tool, and have eyes on glass looking over those logs for any suspicious activity because that is part

of your job. If you're able to install software tools that can monitor network traffic, learn standard behaviors and then report on exceptions or suspect traffic patterns, then invest in it and use it. If you have a remote access portal for goodness sake install Multi-Factor Authentication. We humans are sometimes too clever for our own good. We use our intelligence to build machines that require less and less work

for us to do. It's easier to monitor, reset, open and closed circuit breakers from a room hundreds of kilometers away. Why drive there when you can just click a button. It's easier and it's cheaper to build things with no physical buttons, no indicator lights, no manual overrides and that's fine until something goes wrong and you need them. Cyber-security is a never-ending tug of war between company convenience and the risk of cyber

inconvenience. The more convenient that we make it for ourselves, the more convenient we make it for hackers to make our lives inconvenient. In the case of Black Energy only 0.015% of the power grid was inconvenienced that evening. Next time though, the consequences could be much much more severe. If you're involved with OT

support the show you can: by subscribing to the Premium site via Breaker or via Patreon. You can find details at https://engineered.network/ /causality with a thank you to all of our patrons and a special thank you to our Silver Producers Carsten Hanson, John Whitlow, Joseph Antonio and Kevin Kosh, and an extra special thank you to our Gold Producer known only as "r". Patron rewards include a name thank you on the website, a name thank you at the end of episodes and access to detail

raw show notes too. Premium rewards also include add free high-quality releases of every episode, so if you'd like to subscribe you can help make sure the show continues to be produced and above all else it's all really, really appreciated. Of course there's lots of other ways to help like favoriting this episode in your podcast player app or sharing the episode or the show with your friends or via social. Some podcast players that you share audio clips of episodes so if you have a favourite

segment, feel free to share that too. All of these things help others to discover the show and can make a big difference. Causality is heavily researched and links to all materials used for the creation of this episode are contained in the show notes. You can find them in the text of the episode description of your podcast player or on our website. You can follow me on the Fediverse @chidgey@engineered.space on Twitter @johnchidgey (all one word) or the network @Engineered_Net.

This was Causality. I'm John Chidgey. Thanks so much for listening.