The Industrial Internet of Things FEATURE NEWS

Top 5 Actions to Prepare for the Next CrashOverride-Style Attack

By Special Guest
Paul Myer, CEO, Veracity Industrial Networks
August 28, 2017

Imagine a major capital city with a population between that of Paris and Rome losing a large part of its electrical power a few days before the end of year festivities, all because of malware infection. This case is real. On December 17-18, 2016, Kiev, capital of Ukraine, suffered severe power outage. The indications are that the power cuts were caused by the CrashOverride virus (also known as Industroyer). However, Kiev may be only one of any number of targets. CrashOverride has been built to be easily adaptable to other power supply infrastructures in the world. It’s time to take defensive action.

Know Your Enemy
CrashOverride leverages industrial communication protocols used around the world to control electricity substation switches and circuit breakers. These protocols have little or no cybersecurity built in. CrashOverride therefore simply uses these protocols as they have been designed to be used. Its commands look like authentic messages, because that’s effectively what they are. This makes detection correspondingly more difficult. Designed as a toolset, the virus can potentially be adapted to disrupt water, gas, and other distribution networks, not just electricity.

CrashOverride, Step by Step
The virus operates in several phases. It starts with infection, using backdoors to contact a remote command and control server. Next comes discovery of the infected network and control system. After this, the malware attacks, directly controlling switches and circuit breakers. It also makes machines unusable and wipes system data to cover its tracks.

Top 5 Actions to Resist CrashOverride

  1. Establish baselines for the use of industrial protocols used in your installations. For the power sector specifically, these protocols include IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OLE for Process Control Data Access (OPC DA). These are the protocols targeted so far. However, other protocols should be monitored, for instance DNP3, given the possibilities for attackers to extend and customize CrashOverride. Then compare protocol usage levels with baselines to detect possible attacker activity.
  2. Segment your network to restrict access from the outside, including the Internet, especially for control system networks. Configure firewall rules to filter or block traffic to different segments. Use an intrusion detection system (IDS) to monitor traffic, using available rules and signatures to detect CrashOverride. For any necessary remote access, increase security for such access, for instance by using robust VPN access.
  3. Make backups of network, system, and engineering files. These can include network and ICS (industrial control system) project plans, configuration files, and application installers. Respect the 3-2-1 backup rule, meaning make at least three copies of each piece of data to be backed up, using two different formats (different storage media), and storing one of those copies offsite. Test your backups too. Make sure that you can recover fully operational systems (with all necessary configurations and interconnections) from those backups. These precautions will help guard against the data wiping functionality in CrashOverride.
  4. Prepare incident response plans for CrashOverride. Ensure that all stakeholders are involved in the design and testing of the plans: for instance, operations, security, IT, and engineering. Run table top exercises with these stakeholders to clarify roles and responsibilities, and to iron out any hiccups in containment, remediation, and recovery procedures.
  5. Deploy network technology that allows you to control your network segments and network switches from a central location. Software-defined networking (SDN) can let you do this, offering reliable, high performance, affordable management and security. While this deployment may be a longer-term project, bringing in SDN compatible network components over time, it can fundamentally strengthen your industrial network security posture, protecting against CrashOverride and other threats.

CrashOverride represents a new kind of threat to industrial networks and control systems. Besides being considered by experts as the first malware built and used to attack electric grids, its framework design and possibility to carry payloads makes it doubly dangerous. The steps above, from the short term tactical for immediate defense to the longer term strategic for lasting protection, will help enterprises and organizations reinforce their security and reduce the risks associated with the specific threats such as CrashOverride and with cyberattacks in general.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Related Articles

Rugged IIoT Environments, Handled: Soracom's Industrial-Grade SIM Card

By: Alex Passett    3/28/2023

Global provider of advanced IoT connectivity Soracom announced an industrial-grade SIM card for its portfolio of eSIM and IoT SIM solutions.

Read More

It's Time to Meet Digit: Agility Robotics Debuts a Human-Centric, Multi-Purpose Safety Robot

By: Alex Passett    3/27/2023

Digit is Agility Robotics' safe robot partner that multiplies productivities for human workforces.

Read More

TDK Announces Qeexo AutoML Platform Integration for Arm Keil MDK

By: Alex Passett    3/24/2023

TDK's new company Qeexo has launched its AutoML for Arm Keil MDK. This enables end-to-end embedded ML and development workflows.

Read More

The Next Wave of Computing: NVIDIA and Microsoft Collaborate on Powerful Enterprise Resources

By: Alex Passett    3/22/2023

Microsoft Azure will host NVIDIA Omniverse Cloud and NVIDIA DGX Cloud for supercharged enterprise solutions.

Read More

The Importance of Speed: An IoT Evolution Expo 2023 Discussion

By: Bill Yates    3/8/2023

Speed is crucial for distributed network success. At IoT Evolution Expo 2023 in Fort Lauderdale, FL, representatives from Internet of Things (IoT) sol…

Read More