Menu

The Industrial Internet of Things FEATURE NEWS

Top 5 Actions to Prepare for the Next CrashOverride-Style Attack

By Special Guest
Paul Myer, CEO, Veracity Industrial Networks
August 28, 2017

Imagine a major capital city with a population between that of Paris and Rome losing a large part of its electrical power a few days before the end of year festivities, all because of malware infection. This case is real. On December 17-18, 2016, Kiev, capital of Ukraine, suffered severe power outage. The indications are that the power cuts were caused by the CrashOverride virus (also known as Industroyer). However, Kiev may be only one of any number of targets. CrashOverride has been built to be easily adaptable to other power supply infrastructures in the world. It’s time to take defensive action.

Know Your Enemy
CrashOverride leverages industrial communication protocols used around the world to control electricity substation switches and circuit breakers. These protocols have little or no cybersecurity built in. CrashOverride therefore simply uses these protocols as they have been designed to be used. Its commands look like authentic messages, because that’s effectively what they are. This makes detection correspondingly more difficult. Designed as a toolset, the virus can potentially be adapted to disrupt water, gas, and other distribution networks, not just electricity.

CrashOverride, Step by Step
The virus operates in several phases. It starts with infection, using backdoors to contact a remote command and control server. Next comes discovery of the infected network and control system. After this, the malware attacks, directly controlling switches and circuit breakers. It also makes machines unusable and wipes system data to cover its tracks.

Top 5 Actions to Resist CrashOverride

  1. Establish baselines for the use of industrial protocols used in your installations. For the power sector specifically, these protocols include IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OLE for Process Control Data Access (OPC DA). These are the protocols targeted so far. However, other protocols should be monitored, for instance DNP3, given the possibilities for attackers to extend and customize CrashOverride. Then compare protocol usage levels with baselines to detect possible attacker activity.
  2. Segment your network to restrict access from the outside, including the Internet, especially for control system networks. Configure firewall rules to filter or block traffic to different segments. Use an intrusion detection system (IDS) to monitor traffic, using available rules and signatures to detect CrashOverride. For any necessary remote access, increase security for such access, for instance by using robust VPN access.
  3. Make backups of network, system, and engineering files. These can include network and ICS (industrial control system) project plans, configuration files, and application installers. Respect the 3-2-1 backup rule, meaning make at least three copies of each piece of data to be backed up, using two different formats (different storage media), and storing one of those copies offsite. Test your backups too. Make sure that you can recover fully operational systems (with all necessary configurations and interconnections) from those backups. These precautions will help guard against the data wiping functionality in CrashOverride.
  4. Prepare incident response plans for CrashOverride. Ensure that all stakeholders are involved in the design and testing of the plans: for instance, operations, security, IT, and engineering. Run table top exercises with these stakeholders to clarify roles and responsibilities, and to iron out any hiccups in containment, remediation, and recovery procedures.
  5. Deploy network technology that allows you to control your network segments and network switches from a central location. Software-defined networking (SDN) can let you do this, offering reliable, high performance, affordable management and security. While this deployment may be a longer-term project, bringing in SDN compatible network components over time, it can fundamentally strengthen your industrial network security posture, protecting against CrashOverride and other threats.

CrashOverride represents a new kind of threat to industrial networks and control systems. Besides being considered by experts as the first malware built and used to attack electric grids, its framework design and possibility to carry payloads makes it doubly dangerous. The steps above, from the short term tactical for immediate defense to the longer term strategic for lasting protection, will help enterprises and organizations reinforce their security and reduce the risks associated with the specific threats such as CrashOverride and with cyberattacks in general.


 


SHARE THIS ARTICLE
Related Articles

IoT Time Podcast S.3 Ep.10 Netcracker

By: Ken Briodagh    3/29/2018

In this episode of IoT Time Podcast, Ken Briodagh sits down with Paul Hughes (@PHughesNC), Director of Strategy at Netcracker to talk about 5G impleme…

Read More

Smart Farming: How IIoT Is Making Agriculture More Sustainable

By: Special Guest    3/28/2018

The IIoT is driving a new industrial revolution - and this one's centered on the automation of industrial processes. All kinds of industries are affec…

Read More

IIC Releases Endpoint Security Best Practices

By: Chrissie Cluney    3/27/2018

Are you and your company interested in learning more about the IIoT to better your company's productivity? The Industrial Internet Consortium (IIC), t…

Read More

IoT Events Feature Healthcare, Smart City, Autonomous Vehicles and IIoT

By: Ken Briodagh    3/26/2018

The IoT is expanding in hundreds of new vertical directions, and upcoming events are focusing on some of the hottest: Smart City IIoT, Autonomous Vehi…

Read More

FogHorn Partners with Google Cloud to Deliver IIoT Solution

By: Ken Briodagh    3/22/2018

Foghorn Lighting Edge Intelligence platform with Google Cloud IoT Core will maximizes the value of industrial data on IoT devices

Read More