Cybersecurity for Energy Delivery Systems Michael Assante & Tim - - PowerPoint PPT Presentation

Cybersecurity for Energy Delivery Systems

Michael Assante & Tim Conway (Under contract to DOE

through Idaho National Laboratory)

March 28th, 2016

2

Agenda

• 1. Event deconstruction
• 2. Mitigations
• 3. Discussion

UNCLASSIFIED

Ukraine Event

December 23, 2015

UNCLASSIFIED

4

An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team(US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. Mike Assante and Tim Conway as DOE INL subcontractors added to the team by DOE to bring their electricity sector and SANS experience to bear on this critical incident. This briefing is our post trip report. The mitigation guidance for consideration is our own and is offered “as is”, as general concepts to simply inform thinking

UNCLASSIFIED

Presentation Perspective

5

Geographic Orientation

UNCLASSIFIED

6

Power System Orientation

UNCLASSIFIED

7

Ukraine’s Generation Sites

UNCLASSIFIED

Power System Regions

8

Power System Element: Distribution

UNCLASSIFIED Source: Modification of an image from the energy sector - specific plan 2010

9

Event Summary

 Through interviews, the team concluded that a

remote cyber attack caused power outages at three Ukrainian distribution entities (Oblenergos) impacting approximately 225,000 customers

 While power has been restored, all the impacted

Oblenergos continue to operate in a degraded state

 The attack included elements to disrupt power

flow and exaggerate the outage by damaging the SCADA DMS and communication infrastructure used to support power dispatching

UNCLASSIFIED

UNCLASSIFIED

12

Attack Steps Summary

• Infect, Foothold, C2
• Harvest Credentials
• Achieve Persistence & IT Control
• Discover SCADA, Devices, Data
• Develop Attack Concept of Operation (CONOP)
• Position
• Execute Attack
• SCADA/DMS Dispatcher Client/WS Hijacking
• Malicious firmware uploads
• KillDisk Wiping of WS & Servers
• UPS Disconnects & TDoS

UNCLASSIFIED

13

Technical Components

• Spear phishing to gain access to the business networks
• Identification of BlackEnergy 3 at each Oblenergos
• Adversary theft of credentials from the business networks
• Use of VPNs to enter the ICS network
• Use of existing remote access tools within the environment or

issuing commands directly from a remote station capable of issuing commands similar to an operator HMI

• Serial to Ethernet communications devices impacted at a

firmware level

• Use of a modified KillDisk to erase
• Utilizing UPS systems to impact connected load with a

scheduled service outage

• Telephone Denial of Service attack on the call center

UNCLASSIFIED

14

Phantom Mouse Remote Amin Tools at OS-level Rogue Client Remote SCADA Client Software

SCADA Hijacking Techniques

The attackers developed two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies

15

The Ukraine cyber attacks are the first publicly acknowledged intentional cyber attacks to result in power outages. As future attacks occur it is important to scope the impacts of the incident being examined. Power outages should be measured in scale (number of customers and electricity infrastructure involved) and in duration to full

• restoration. These incidents impacted up to 225,000 customers in

three different distribution level service territories lasting several

• hours. These incidents would be rated on a macro scale as low in

terms of power system impacts as the outage impacted a very small number of overall power consumers in Ukraine and the duration was limited. We are confident that the companies impacted would have rated these incidents as high or critical to their business and reliability of their systems.

Keeping Perspective

16

 Attacks were planned, coordinated, and required high-

degree of orchestration

 Aggressive development-to-operations cycle  Attacks required multiple operators  Simultaneous actions & mistakes  Multi-staged Kill Chain  Multiple attack elements  Custom attacks developed  Multi-staged attack  Attackers achieved objective  Targets used different SCAD

What we should understand

UNCLASSIFIED

17

ICS Kill Chain Mapping (Stage 1)

UNCLASSIFIED

18

Stage 1 TTPs

 Spear phishing with MS Office Attachments  BlackEnergy malware used for initial infection

• Overlapping C2 servers

 KillDisk downloaded and executed manually

• KillDisk execution on selected Workstations and

Servers

 Use of company employed remote access tools

• Use of legitimate credentials for network access at time
• f attack (RDP, RADMIN, VPN)

 Installation of backdoors

UNCLASSIFIED

19

ICS Kill Chain Mapping (Stage 2)

UNCLASSIFIED

20

Stage 2 TTPs

 Lockout of legitimate dispatchers  Manual & command operation to trip

breakers

 Firmware corruption of Serial-to-Ethernet

converters & Substation Devices

 UPS system outage  KillDisk on RTU Local HMI Module

• Windows OS

UNCLASSIFIED

21

UNCLASSIFIED

22

Distribution Control Center(s)

• Central Office
• Branch Offices

110 kV Substation 110 kV Substation 35 kV Substation HMI workstations (OS-level) Client-to-Server Accessible Firmware Devices Workstations & Servers

Attack Elements by Location

UNCLASSIFIED

23

Input Output

• No Data
• Source problems
• Disrupt Com Path
• Disrupt AP/Interface
• Invalid Data
• Too Much Data

Communications Path

Physical Protection

• Hardware
• Firmware
• Application Software
• Configuration

Electronic Protection Communications Path

• No Data
• Destination problems
• Disrupt Com Path
• Disrupt AP/Interface
• Invalid Data
• Too Much Data

Device Maintenance not

• perational data input

Malicious Firmware Uploads (Cont.)

Model created by Mark Engles

UNCLASSIFIED

24

Manipulate-to-Disrupt (anti-restore)

UNCLASSIFIED

25

F

UNCLASSIFIED

1 2 3

26

How Sophisticated Was It?

F

UNCLASSIFIED

27

Rating this Attack

Sophistication ICS Customization Effect CONOP 1 2 2 3

• Some sophistication in the

SCADA/DMS hijacking method but the majority of it was not

• Rogue client hijacking

demonstrated some customization

• Electricity outage in three

service territories restored in hours

• A complex and successful

attack plan

Summary

UNCLASSIFIED

28

Ukraine Incidents

Human Operators ICS Infrastructure ICS Applications Process & Safety

INCIDENT MAPPING

Elements HMI Inputs Alarms Data Effect Loss of View (LoV) False Alarms/Suppress Alarms Spoofed Status, Levels, and Conditions Denial of Control (DoC) Elements Servers Network Workstations OS Effect Modify Files Corrupt/Destroy Data Exhaust Resources/DoS Hang Applications Hijack Elements HMI (Client) SCADA Servers ENG WS Historians/DBs Gateways/FEPs Effect Change Settings & Schedule Tasks Spoof Data, Issue Commands (MoC) Delete Data DoS, (DoC) Elements Controllers Comms/IO Instruments Actuators Effect Change Settings, Write to Memory Data Destruction Spoof Data, (MoC or MoV) Change Logic, (MoC) DoS/Corrupt Software, (DoC)

SCADA/DMS & Process Elements

UNCLASSIFIED

Guidance & Mitigation Concepts

Published Advisories and SCADA/DMS mitigations

UNCLASSIFIED

30

https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01ADD

F

UNCLASSIFIED

ICS-CERT Alert

31

1

Level 2 NERC Alert (R 2016 02 09 01) that was released February 9, 2016

https://www.esisac.com /api/documents/4199/p ublicdownload

E-ISAC Alert

32

Control & Operate VPN Access Workstation Remote

Ukraine Event

Significant Events based on publicly available reporting.

Ukraine Event

Significant Events based on publicly available reporting.

Credential Theft Spearphish Tools & Tech F

UNCLASSIFIED

Attack Elements

IT Preparation

• Target selection
• Unobservable

target mapping

• Malware

development and testing

Sequence Pre Work

• Upload additional

attack modules - KillDisk

• Schedule KillDisk

wipe

• Schedule UPS load
• utage

Attack Position

• Establish Remote

connections to

• perator HMI’s at

target locations

• Prepare TDoS

dialers

Target Response

• Connection sever
• Manual mode / control

inhibit

• Cyber asset restoration
• Electric system

restoration

• Constrained operations
• Forensics
• Information sharing
• System hardening and

prep

Hunting and Gathering

• Lateral Movement and

Discovery

• Credential Theft and VPN

access

• Control system network

and host mapping

Spear phishing

• Delivery of phishing

email

• Malware launch

from infected office documents

• Establish foothold

ICS Preparation

• Unobservable

malicious firmware development

• Unobservable DMS

environment research and familiarization

• Unobservable

attack testing and tuning

Attack Launch

• Issue breaker open

commands

• Modify field device

firmware

• Perform TDoS
• Scheduled UPS

and KillDisk

Opportunities to Disrupt

12 mo 9 mo 6 mo hrs. min Event Hrs.

34

• Awareness training
• Phishing testing

Training Spearphish

• Detection Based
• Reputation Based

Filtering

• Contested territory
• Isolate and control

Anticipated

F

UNCLASSIFIED

Spearphish

35

• YARA & AV
• Change PW

Remediate Credential Theft

• Directory Segmentation
• Zones of Trust

Defense in Depth

• Normalize net and

directory activity

• Alert on the abnormal

Anticipated

F

UNCLASSIFIED

Credential Theft

36

• Two factor
• Dedicated Tokens

Strengthen VPN Access

• Jump Host
• No Split Tunneling

Trust

• Why is it there
• Activate at time of use

Anticipated

F

UNCLASSIFIED

VPN Access

37

• Disable remote access
• Block at perimeter fw

Harden Workstation Remote Access

• Configure Host FW
• Monitor config changes

Manage

• Conservative
• perations
• Sectionalizing

Anticipated

F

UNCLASSIFIED

Remote Access

38

• Logic for confirmation
• AOR

App Security Control and Operate

• Path encryption
• Protocol encryption

Communication

• Manual operations
• Load Shed

Anticipated

F

UNCLASSIFIED

Control

39

• Filter calls by source
• Disconnect BCS from net
• Disable remote mgmt

Eliminate Tools and Tech

• Disable remote FW updates
• ATS, Backup Gen
• Secondary Comms

Device

• Blackstart plans
• Islanding
• Mutual Aid

Anticipated

F

UNCLASSIFIED

Tools and Tech

40

Lessons Learned

Training Planning and Analysis Load Shed EOP Blackstart

41

F

• Cyber contingency analysis (continuous analysis and preparing the system for

the next event)

• Cyber failure planning (modeling and testing cyber system response to network

and asset outages)

• Cyber conservative operations (Intentionally eliminating planned and

unplanned changes, as well as stopping any potentially impactful processes)

• Cyber load shed (Eliminating all unnecessary network segments, communications,

and cyber assets that are not operationally necessary)

• Cyber RCA (Root Cause Analysis forensics to determine how an impactful event
• ccurred and ensure it is contained)
• Cyber blackstart (cyber asset base configurations and bare metal build capability

to restore the cyber system to a critical service state)

• Cyber mutual aid (ability to utilize ISACs, peer utilities, law enforcement and

intelligence agencies, as well as contractors and vendors to respond to large scale events)

UNCLASSIFIED

Lessons Learned Translated

42

Component Mitigation N Mitigation N+1 Mitigation N + X Spear phish Training Filter System Spec Credential Theft Remediate PW Defense in Depth Protection Devices VPN Access Strengthen Trust RCA / EOP Workstation Remote Access Harden Manage Conservative Operations / Sectionalizing Control and Operate App Security Communication Manual Operations / Load Shed Tools and Tech Eliminate Device Black Start / Mutual aid

F

UNCLASSIFIED

Prepare to Defend the Effect

UNCLASSIFIED

питання

Questions

Attack

44

References & Products

 NCCIC/ICS-CERT INCIDENT ALERT: IR-Alert-H-16-043-01P

UKRAINIAN POWER OUTAGE EVENT, February 12, 2016 (TLP=GREEN)

• High-level summary of the incident elements
• Mitigation guidance
• Detection pointers & indicators (IOCs)

 NERC E-ISAC: Mitigating Adversarial Manipulation of

Industrial Control Systems as Evidenced By Recent International Events, February 9, 2016 (TLP=RED)

• Tactics used by actors with mitigation options

 ICS-CERT BlackEnergy YARA signature: https://ics-cert.us-

cert.gov/alerts/ICS-ALERT-14-281-01E

 Initial Findings of the US Delegation examining the events of

December 23rd 2015, Power Point Presentation, February 2016

 E-ISAC & SANS Defense Use Case:

https://www.esisac.com/api/documents/4199/publicdownload

UNCLASSIFIED

45

Guidance Documents

UNCLASSIFIED

46

Cyber Incident Coordination

• Coordinate response with federal and industry partners.
• Share information and facilitate access to technical sector specific

expertise while ensuring:

• Unity of effort; and
• Unity of message
• Collaboration with industry for participation in national and regional

preparedness projects including cyber exercises.

• ESCC Playbook Exercise
• New York State Cybersecurity Exercise (NYSCE)
• Dams Sector Information Sharing Drill
• North American Electric Reliability Corporation (NERC) Grid Security

Exercise (GridEx)

UNCLASSIFIED

47 47

Office of Electricity Delivery & Energy Reliability U.S. Department of Energy www.energy.gov/oe/services/cybersecurity