In June 2017, researchers disclosed a new family of sophisticated malware that is designed to target and disrupt industrial control systems (ICS) in power grids, specifically electric utility substations. CRASHOVERRIDE (aka Win32/Industroyer) offers modules that use standard industrial protocol communications and can directly control switches and circuit breakers within Remote Terminal Units (RTUs) in substations.
The impact could range from a loss of power to forced “islanding” of substations. The latter occurs because of automatic safety mechanisms that kick in due to conditions created by CRASHOVERRIDE that are purposely designed for self-protection of grid operations.
Satellite imagery of the Northeastern United States taken before and during the 2003 blackout. (Left image source: NOAA/DMSP, taken from Oct. 1, 1994 to March 31, 1995. Right image source: NASA, taken on Aug. 14, 2003)
This isn’t cataclysmic – outages could vary widely, lasting from hours to potentially a week. And, at least in the U.S., our power grid uses DNP3 (not included in CRASHOVERRIDE modules yet) and is reliably maintained by grid operations professionals who handle outages all the time. (Thank you all, by the way…)
However, if operators lose visibility and control because HMIs cannot remotely control the circuit breakers, there could be delays in restoring power. Crews would have to physically get out to the affected systems and even possibly sever communication links during recovery. This is why the CRASHOVERRIDE platform’s design and extensibility is highly concerning to ICS security professionals.
|CRASHOVERRIDE aka Win32/Industroyer|
The Slavic anti-virus firm ESET first discovered the malware and documented its capabilities in their report Win32/Industroyer A New Threat to Industrial Control Systems.
ESET believes Industroyer was used in the December 2016 Kiev power grid outage, possibly as a proof-of-concept. U.S. security firm Dragos validated ESET’s findings in June and gave the malware their own name and report - “CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations,” due to many internal references using the CRASHOVERRIDE label within the malware itself. US-CERT’s Alert (TA17-163A) also labels the attack CRASHOVERRIDE Malware.
We’ll just refer to it as simply “CRASHOVERRIDE” in this blog. Don’t worry, while it can be confusing – they’re the same thing. Both research reports are worth the read!
What is CRASHOVERRIDE and Why is it Different?
As described in US CERT Alert (TA17-163A), CRASHOVERRIDE is a new, highly capable attack framework with modules that can be altered and extended for use in targeting many different critical infrastructure sectors – not just power grids.
CRASHOVERRIDE is only the second-ever known case of malicious code purpose-built to disrupt physical systems, the first being Stuxnet. Dragos’ report also describes it as the first-ever malware “framework” or “platform” designed and deployed specifically to attack and disrupt physical industrial processes within electric grids. This malware also shows that adversaries have gained detailed knowledge of grid operations and industrial communication protocols which can be extended to other industries and protocols.
What does all this mean to you, the security-minded ICS professional? CRASHOVERRIDE has no “easy button,” simple patches or workarounds, but there are key indicators, impacts and guidance for those who read on. Here is what you need to know regardless of your industrial organization or critical infrastructure sector.
How Does CRASHOVERRIDE Work?
As of this date, ESET, Dragos and US-CERT do not define a specific attack vector for the initial infection of CRASHOVERRIDE. This means they can’t give us any definitive information on exactly how or by what methods the adversary achieves initial access and delivers the malware payload.
Phishing and spear-phishing emails have been successfully used in 91 percent of global malware transfers to infected systems, according to PhishMe’s 2016 report, and US-CERT advises to investigate potential honeypots as another possible means of malware transfer. These are two areas to consider beefing up your knowledge about and possibly doing employee security awareness training and education as a good preventive starter.
As you can see in Dragos’ simplified illustration below, CRASHOVERRIDE offers various modules and four different industrial control system communication protocol modules:
- IEC 60870-5-101 (aka IEC 101)
- IEC 60870-5-104 (aka IEC 104)
- IEC 61850
- OLE for Process Control Data Access (OPC DA)
In addition, there are modules for:
- Denial-of-service (DoS)
- Backdoor/remote access
- Command and Control (C&C or C2) for periodic connection to the command server for updates
- Port scanning
- A wiper to hide its tracks, destroy files and even overwrite the boot sector so that the system cannot reboot itself
It’s a pretty complete package.
Simplified schematic of Win32/Industroyer / CRASHOVERRIDE modules from Dragos’ report(inclusive of ESET’s research).
CRASHOVERRIDE’s modules have been designed to be extensible and all analysis agrees that modifications could be done to add other industrial protocol modules, such as DNP3; the most commonly used industrial protocol within North American power grids. DNP3 is also used in water/wastewater and certain applications within oil and gas, especially when communicating with field locations, like substations, pump stations and pipelines, etc. As of now, however, there are no known DNP3 modules in use.
Due to the overall complexity, we recommend you download the initial research analysis done by ESET, Dragos and the US-CERT – all linked below:
- ESET’s research report – Win32/CRASHOVERRIDE A New Threat for Industrial Control Systems
- Dragos’ research report – CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations
- US-CERT Alert (TA17-163A) – CrashOverride Malware
The Impacts of CRASHOVERRIDE on Electric Grid Operations
The CRASHOVERRIDE malware is using international communication protocols and as such has immediate impact for electric grid operations in Europe, Asia and Central and South America. By extension, we should be on the lookout in the U.S. as noted in US-CERT Alert (TA17-163A).
These impacts include:
- De-energizing substations
- Denial of service over serial COM ports
- Visibility into the entire ICS environment
- Leveraging vendor-specific vulnerabilities
- Wiper module rendering infected systems useless
How to Defend Against CRASHOVERRIDE: 6 Proactive Steps to Take
Detecting and defending against CRASHOVERRIDE is not a simple task, particularly when there’s no clear initial method seen by researchers. Also, it’s not a single vulnerability, patch, or simple stage categorization on how it happens and exactly what to do.
If possible, all three referenced research documents on CRASHOVERRIDE should be read and considered for your environment. Share them with the IT department and consider how to work together to provide a holistic organizational preventive plan to maintain resilience and availability for plant operations in the face of such an advanced platform of malware.
Here are a few suggestions to get you started:
1. Know What Protocols Are in Use – Though your industry may not be in the energy sector and may not use industrial communication protocols targeted by CRASHOVERRIDE (IEC 101, IEC 104, IEC 61850, OPC), you should at a minimum know in advance what communication protocols are in use within your network, endpoints and control systems.
Simplistic network topology mockup of electric grid operations systems and relevant protocol communications that can be leveraged by CRASHOVERRIDE from Dragos’ research report.
2. Prepare Your Defenses – Malware defenses and other preparations are recommended, such as those suggested in the National Cybersecurity and Communications Integration Center’s (NCCIC’s) Malware Trends analysis, Destructive Malware report and Seven Steps to Effectively Defend Industrial Control Systems. These are “must read” documents written by ICS professionals for ICS security professionals. Most definitely there will be training suggested for employees on phishing, spear-phishing, honeypots and other techniques used to transfer malware.
3. Look for Indicators of Compromise (IOCs) – The NCCIC/ICS-CERT advises that though this is still being investigated, there are downloadable IOCs available for reference in Alert (TA17-163A), ESET’s report, Dragos’ report and also provided below from the Alert content. To search for these indicators you will no doubt need to get assistance (possibly from IT or other ICS cyber security experts) to assure no disruption occurs within your operations while investigating.
Note: Belden’s Tofino Xenon can be deployed quickly in-line to create secure zones of protection for critical ICS at the industrial protocol and communications level. It requires no IP address and can passively watch traffic and deeply inspect frames on ingress to and egress from the ICS behind it as well as control user access to the ICS. This device can inspect IEC 10.
C2 connections to the attacker servers represent the most obvious IOC. There are known addresses hard-coded within the malware and you can check to see if connections are being made from within your organization to these Command and Control server IP addresses from the ESET report. There are also indicators of compromise related to the scanning modules, DLLs (by name) that are present and other IOCs. You may want to ask for IT’s help here also and coach them
Note: The search for IOCs is also something Tripwire’s security monitoring technology has the capability to do by creating special rulesets for this purpose.
ESET report on IP addresses used by attacker C2 servers.
4. Validate That Appropriate Logging is in Place – This is essential to assist in finding suspicious activity while it’s happening as well as for forensics should you need it. More advanced capabilities of a Security Incident and Event Management (SIEM) system may be especially helpful to gather a correlated view of system events in your industrial network. These systems are typically passive and non-invasive to operations.
Note: Belden’s Tripwire Log Center has SIEM capabilities, is passive and can be quickly deployed to gather syslog information and correlate events of interest.
5. Test Backups and Restore Processes – Does your organization have backups and do they work upon restore? This should be tested because in many malware cases a backup is critical to bringing damaged systems back online. This is just a good basic practice.
6. Consider Proactively Getting Outside Help – You may require expert resources either from within your organization’s own IT department or even through outside consultancy. NCCIC/ICS-CERT is another resource that can be contacted at NCCICCustomerService@hq.dhs.gov (link sends e-mail) or 1-888-282-0870.
This is not a crisis, but it is highly concerning and does bear investigation and preparation. Most electric grids have been built for reliability, and current analysis is that no U.S. sites have been publicly impacted. Early indications are that if disruptions occur to grid operations, the outages could range from hours to a few days if multiple sites are affected and require crews to physically go to where the outages occur.
"Everything past single substation events and small islanding events…is purely speculation," is a notable quote from Dragos’ report. However, as they say, hindsight is 20/20, and it will pay dividends to be better prepared for the growing sophistication of our adversaries.
- Blog: Deep Packet Inspection for ICS Security: Signature-Based vs. Protocol-Specific
- Blog: 3 Ways to Use Industrial Firewalls for Defense in Depth
- Blog: IT-OT Convergence and Conflict: Who Owns ICS Security?
- Web page: Tofino Product Information
- White paper: Defending ICS with Tripwire
- Web page: Subscribe for Belden Product Security Notifications