Grid Security Is Top of Mind in 2016 – NERC CIP and the Ukrainian Grid Attack

The discussions around electric grid cybersecurity in 2016 have already started off with a lot of buzz with two important industry developments in play.

The first is around the NERC CIP regulation. With just a few months left until the NERC CIP version 5 enforcement deadline of April 1, 2016, many utilities subject to the regulation are scrambling to put their remaining provisions in place to ensure that they meet their compliance obligations. We’ll know soon enough how industry fares. However, if that weren’t enough on the regulatory side, on January 21, FERC released Order 822, which basically explains how they approved version 6 of the NERC CIP standards. It’s a bit too much to get into the details of Version 6/Order 822 here; but, basically, new compliance considerations have emerged around supply chain security, transient electronic devices, inter-control center communications, remote access, and low-impact external routable connectivity (LERC). Phew! It’s clear utilities will be very busy in 2016 on the compliance side.

The second important development is the December 15, 2015 attack on the Ukrainian electric grid, which has jolted the industry with the frightening validation that the grid can be shut down by a cyberattack. This is an industry first and, unfortunately, not likely to be the last. The attack is the first publicly disclosed cyberattack leading to a loss of electric utility services. The breadth of the impact was significant, with a reported 80,000 people in the Ivano-Frankivsk region of Ukraine losing electricity services. Ironically, the compromise seems to have been to the distribution portion of the electric grid. The distribution network is, of course, not in scope for the NERC CIP standards.

While multiple reports and analysis have been published on the Ukrainian attack, there is still no confirmation on the exact attack methods and timelines. What we do know is that the adversary used a multi-front attack to complete their objective of creating a power outage. Multiple cyber artifacts were found; and, of all the ones reported, the BlackEnergy malware, because of its long history (originally discovered in 2007) and association with recent attacks to the energy sector (no reported outages, but compromise to HMI systems in its recent 2015 manifestation) has gotten most of the attention.

Although it is still uncertain if BlackEnergy was actually part of the reported attack, we can say several things regarding our platform’s capabilities to help defend against BlackEnergy:

• There are currently 30 samples in WildFire related to this attack, and all are correctly marked malware:
  • The majority of these samples were already in WildFire prior to the release of IOCs related to this attack.
  • This includes the XLS file carrying the BlackEnergy Lite payload that is suspected to be part of the attack.
• Our AutoFocus service includes two sets of tags for BlackEnergy:
  • One from the IOC set released by ESET
  • The other previously built by Unit 42

In other words, if a new variant of BlackEnergy got onto your network, WildFire would be able to identify the payload as malicious and generate protections to prevent the file from propagating (via AV signatures) and communicating outbound (via anti-C2 signatures). AutoFocus, via the tags that group indicators of compromised files associated with BlackEnergy, would then help with the autocorrelation of the malware to BlackEnergy, allowing incident response teams to focus on the most important risk. This is in contrast to focusing on the run-of-the-mill malware which, while troublesome, is not as critical to analyze and remediate as malware tied to a very sector-specific campaign that significantly impacted a similar organization.

The information regarding the Ukrainian attack is still quite dynamic; and, in fact, recent reports seem to suggest that more recent, similar attacks to the grid and critical infrastructure didn’t even use BlackEnergy. Given the situation, we are continuously monitoring the threat intelligence developments and doing our own our analysis. We will provide updates on our findings as appropriate.

Learn more about AutoFocus and read about another ICS-specific attack involving the Dark Seoul campaign.