Cybersecurity for Energy Delivery Systems Michael Assante & Tim - PowerPoint PPT Presentation

Cybersecurity for Energy Delivery Systems Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory) March 28th, 2016

Agenda 1. Event deconstruction 2. Mitigations 3. Discussion 2 UNCLASSIFIED

Ukraine Event December 23, 2015 UNCLASSIFIED

Presentation Perspective An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team(US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. Mike Assante and Tim Conway as DOE INL subcontractors added to the team by DOE to bring their electricity sector and SANS experience to bear on this critical incident. This briefing is our post trip report. The mitigation guidance for consideration is our own and is offered “as is”, as general concepts to simply inform thinking 4 UNCLASSIFIED

Geographic Orientation UNCLASSIFIED 5

Power System Orientation UNCLASSIFIED 6

Power System Regions Ukraine’s Generation Sites 7 UNCLASSIFIED

Power System Element: Distribution Source: Modification of an image from the energy sector - specific plan 2010 8 UNCLASSIFIED

Event Summary  Through interviews, the team concluded that a remote cyber attack caused power outages at three Ukrainian distribution entities (Oblenergos) impacting approximately 225,000 customers  While power has been restored, all the impacted Oblenergos continue to operate in a degraded state  The attack included elements to disrupt power flow and exaggerate the outage by damaging the SCADA DMS and communication infrastructure used to support power dispatching 9 UNCLASSIFIED

UNCLASSIFIED

Attack Steps Summary • Infect, Foothold, C2 • Harvest Credentials • Achieve Persistence & IT Control • Discover SCADA, Devices, Data • Develop Attack Concept of Operation (CONOP) • Position • Execute Attack - SCADA/DMS Dispatcher Client/WS Hijacking - Malicious firmware uploads - KillDisk Wiping of WS & Servers - UPS Disconnects & TDoS 12 UNCLASSIFIED

Technical Components • Spear phishing to gain access to the business networks • Identification of BlackEnergy 3 at each Oblenergos • Adversary theft of credentials from the business networks • Use of VPNs to enter the ICS network • Use of existing remote access tools within the environment or issuing commands directly from a remote station capable of issuing commands similar to an operator HMI • Serial to Ethernet communications devices impacted at a firmware level • Use of a modified KillDisk to erase • Utilizing UPS systems to impact connected load with a scheduled service outage • Telephone Denial of Service attack on the call center 13 UNCLASSIFIED

SCADA Hijacking Techniques SCADA Server Phantom Mouse Rogue Client Remote Amin Tools at OS-level Remote SCADA Client Software The attackers developed two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies 14

Keeping Perspective The Ukraine cyber attacks are the first publicly acknowledged intentional cyber attacks to result in power outages . As future attacks occur it is important to scope the impacts of the incident being examined. Power outages should be measured in scale (number of customers and electricity infrastructure involved) and in duration to full restoration. These incidents impacted up to 225,000 customers in three different distribution level service territories lasting several hours. These incidents would be rated on a macro scale as low in terms of power system impacts as the outage impacted a very small number of overall power consumers in Ukraine and the duration was limited. We are confident that the companies impacted would have rated these incidents as high or critical to their business and reliability of their systems. 15

What we should understand  Attacks were planned, coordinated, and required high- degree of orchestration  Aggressive development-to-operations cycle  Attacks required multiple operators  Simultaneous actions & mistakes  Multi-staged Kill Chain  Multiple attack elements  Custom attacks developed  Multi-staged attack  Attackers achieved objective  Targets used different SCAD 16 UNCLASSIFIED

ICS Kill Chain Mapping (Stage 1) 17 UNCLASSIFIED

Stage 1 TTPs  Spear phishing with MS Office Attachments  BlackEnergy malware used for initial infection ◦ Overlapping C2 servers  KillDisk downloaded and executed manually ◦ KillDisk execution on selected Workstations and Servers  Use of company employed remote access tools ◦ Use of legitimate credentials for network access at time of attack (RDP, RADMIN, VPN)  Installation of backdoors 18 UNCLASSIFIED

ICS Kill Chain Mapping (Stage 2) 19 UNCLASSIFIED

Stage 2 TTPs  Lockout of legitimate dispatchers  Manual & command operation to trip breakers  Firmware corruption of Serial-to-Ethernet converters & Substation Devices  UPS system outage  KillDisk on RTU Local HMI Module ◦ Windows OS 20 UNCLASSIFIED

UNCLASSIFIED 21

Attack Elements by Location HMI workstations (OS-level) Client-to-Server Accessible 110 kV Substation Firmware Devices Workstations & Servers 110 kV Substation Distribution Control Center(s) • Central Office • Branch Offices 35 kV Substation 22 UNCLASSIFIED

Malicious Firmware Uploads (Cont.) Input Output Physical Protection Electronic Protection Device Communications Path Communications Path AP AP AP AP •No Data •No Data o Source problems o Destination problems o Disrupt Com Path o Disrupt Com Path o Disrupt AP/Interface o Disrupt AP/Interface • Hardware • Invalid Data • Invalid Data • Too Much Data • Firmware • Too Much Data • Application Software Maintenance not • Configuration operational data input Model created by Mark Engles 23 UNCLASSIFIED

Manipulate-to-Disrupt (anti-restore) 24 UNCLASSIFIED

3 1 2 F UNCLASSIFIED 25

How Sophisticated Was It? 26 F UNCLASSIFIED

Rating this Attack Sophistication 1 CONOP 3 2 ICS Customization Summary 2 • Some sophistication in the SCADA/DMS hijacking method Effect but the majority of it was not • Rogue client hijacking SOPHISTICATION 3 demonstrated some 2.5 customization 2 1.5 • Electricity outage in three 1 0.5 service territories restored in CONOP CUSTOMIZATION 0 hours • A complex and successful attack plan EFFECT 27 UNCLASSIFIED

SCADA/DMS & Process Elements INCIDENT MAPPING Effect Elements Loss of View (LoV) HMI Inputs False Alarms/Suppress Alarms Alarms Human Spoofed Status, Levels, and Conditions Data Operators Denial of Control (DoC) Elements Effect Servers Modify Files ICS Network Corrupt/Destroy Data Infrastructure Workstations Exhaust Resources/DoS OS Hang Applications Ukraine Hijack Incidents Elements Effect HMI (Client) Change Settings & Schedule Tasks ICS SCADA Servers Spoof Data, Issue Commands (MoC) Applications ENG WS Delete Data Historians/DBs DoS, (DoC) Gateways/FEPs Process & Safety Elements Effect Controllers Change Settings, Write to Memory Comms/IO Data Destruction Instruments Spoof Data, (MoC or MoV) Actuators Change Logic, (MoC) DoS/Corrupt Software, (DoC) 28 UNCLASSIFIED

Guidance & Mitigation Concepts Published Advisories and SCADA/DMS mitigations UNCLASSIFIED

ICS-CERT Alert https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01ADD 30 F UNCLASSIFIED

E-ISAC Alert Level 2 NERC Alert (R 2016 02 09 01) that was released February 9, 2016 https://www.esisac.com /api/documents/4199/p ublicdownload 1 31

Attack Elements Spearphish Tools & Tech Credential Theft Ukraine Event Ukraine Event Significant Events based on Significant Events based on Control & publicly available reporting. publicly available reporting. Operate VPN Access Workstation Remote 32 F UNCLASSIFIED

Opportunities to Disrupt IT Preparation Hunting and Sequence Pre Attack Launch Work Gathering • Target selection • Issue breaker open • Unobservable commands • Upload additional • Lateral Movement and target mapping Discovery • Modify field device attack modules - • Credential Theft and VPN • Malware firmware KillDisk access development and • Perform TDoS • Schedule KillDisk • Control system network testing • Scheduled UPS wipe and host mapping and KillDisk • Schedule UPS load outage 12 mo 9 mo 6 mo Event Hrs. hrs. min Spear phishing ICS Preparation Attack Position Target Response • Delivery of phishing • Unobservable • Establish Remote • Connection sever • Manual mode / control email malicious firmware connections to inhibit • Malware launch development operator HMI’s at • Cyber asset restoration from infected office • Unobservable DMS target locations • Electric system documents environment • Prepare TDoS restoration • Establish foothold research and dialers • Constrained operations familiarization • Forensics • Unobservable • Information sharing • System hardening and attack testing and prep tuning