ICS Security: Russian hacking Cyber Weapon Targets Power Grids

A newly developed Russian hacking cyber weapon has the potential to disrupt power grids and cause major blackouts around the world.

This advanced tool has already successfully mounted a targeted attack in Ukraine, causing hundreds of thousands of people to lose power. Given Russia’s consistent attempts at hacking the United States in a variety of ways, it is possible that we could be the next victims. However, by using privileged access management (PAM), industrial control systems (ICS) have the ability to defend against these types of attacks.

Russian Hacking Cyber Weapon

As reported by the Washington Post, Russia’s latest cyber weapon is an advanced form of malware called CrashOverride that has been developed by government hackers. Although the malware currently targets electric power grid transmission and distribution systems, it could easily be modified to infiltrate other ICSs like gas and water. Manipulation of the core systems of any ICS could have devastating impacts on day-to-day utility operations.

Russia’s latest cyber weapon could cause major electricity outages around the world.

The CrashOverride malware was developed by hacking group Electrum or Sandworm (it is unclear if these are the same group, but there is some evidence that shows they are at least related). It appears the same computer systems that were used to develop this software were previously used in a successful attack against Ukraine in December of 2015. This attack shut down one fifth of the electric power generated in Kiev, leaving over 225,000 residents without power.

This ICS malware has already mounted a successful attack against a Ukrainian power grid, which left 225,000 people without power.

Advanced Components

CrashOverride includes multiple components that allow hackers to quickly and easily modify the malware for a variety of ICSs. This means that rather than being designed to specifically target one electrical system in one location, it can be used to target multiple systems around the world. It does this by leveraging information about power grid operations and network communications in order to cause the biggest impact to each specific ICS. Some of the components that make the effects of this malware so devastating are the abilities to:

• Manipulate Electric Power Control Systems Settings: CrashOverride scans for critical components that keep the power grid functioning. Once the malware has found them, it can manipulate settings and force certain functions even if an in-person operator tries to intervene.
• Wipe System Software: The malware is able to infiltrate the computer systems that control the circuit breakers and erase the software that keeps these systems running. This forces ICSs into manual operations, which includes having to send operators out to each substation.
• Schedule Time-Bomb Attacks: CrashOverride has the ability to schedule simultaneous attacks across multiple power grids all at once. Luckily, the US electric industry is trained to handle outages in multiple locations due to severe weather, but future variations of this kind of malware could make that more difficult.

Future malware varitions could result in doomsday-like ICS attacks.

According to industry experts, this type of malware would not have too much of an impact on current electric power grid operations. They predict that if a Russian hacking operation like this occurred, outages would last for a few hours and at most a few days. There is no need to fear for a doomsday type of attack – yet.

However, even brief electrical outages can be extremely disruptive and expensive. Mortality rates increase and consumer costs are estimated at between $2-$20 per kilowatt hour lost. Utilities can be heavily fined, lose financing for upcoming projects, or find future rate increases at risk.

The Future

Although experts aren’t too worried about the current impacts of this malware, it is important to remember that cybercrime tools are continuously evolving. Russian hackers are likely to develop more advanced malware like this, which could have huge impacts on ICS security. That is why it is best to take action now before advanced malware emerges and causes damage.

Privileged Access Management and ICS Security

The introduction of this type of malware outlines why it is so important for energy and other utility infrastructure companies to have advanced security measures in place. Although it is not completely clear how this malware is spread, it is important to remember that most cyberattacks involve the misappropriation of privileged credentials in some fashion. In fact, a whopping 80% of all IT breaches involved the misuse of privileged credentials according to the Privileged Identity Management Wave, Q3 report from Forrester.

80% of all IT breaches involve the misuse of privileged credentials.

Controlling and documenting the actions of privileged accounts through a robust privileged access management (PAM) solution is central to ensuring security, achieving compliance, and protecting public safety.

Privileged Accounts and PAM

PAM gives ICS complete control over privileged accounts, which typically have advanced administrative capabilities that allow them to:

• Change system configurations
• Install software
• Create and modify users
• Access or modify data
• Modify administrative privileges of all users

If credentials to these accounts get into the wrong hands or are misused by malicious insiders, there can be devastating consequences for ICSs. PAM helps ensure that your organization is protected from both internal and external threats, by controlling and documenting all actions taken within an organization.

PAM Components

A robust PAM solution typically includes the following components to deter and prevent breaches:

• Session Manager: The session manager creates an unalterable audit trail that tracks all actions taken during a privileged account session. This is particularly useful in helping ICSs meet rigorous compliance standards and secure remote access.
• Access Manager: The access manager provides organizations with an easy way to have complete control over privileged accounts by providing users with a single point of access to all sensitive information and systems. A super admin has the ability to view, add, modify, or delete privileged user accounts from the centralized system.
• Password Vault: Keep all passwords secured in one location using the password vault. With all system access occurring via the password vault, users never have access to root system passwords, which further protects your organization from potential breaches.

PAM allows ICS to monitor, manage, and audit all privileged account activities.

The bottom line is that no one should be given direct privileged access to critical industrial systems or infrastructure. The responsible action is to route all access through PAM which allows access to be monitored, managed, and audited.

ICS Security with WALLIX

Utilities and energy companies have a tremendous responsibility to their stockholders, customers, and to public safety. This responsibility is matched by the challenge of high regulatory hurdles and aggressive attackers.  In order to meet the challenges associated with ICS security, companies must invest in managing privileged accounts.

WALLIX is the ideal partner for many energy and utility companies thanks to a lightweight, adaptable architecture that combines ease of use and rapid deployment to accompany ICSs’ operational and cybersecurity challenges. WALLIX’s proven track record in both on-premise and Cloud environments shows that it can be rolled out quickly and applied broadly in globalized organizations.

Looking for more information? Download our business case on PAM and ICS security.