Each ISO/RTO acknowledges the risk of a cyber-attack as one of the top corporate risks, and collectively, the ISO/RTO Council (IRC) supports the resiliency efforts of each of its members and the advancement of the cybersecurity posture of the power grid, the IRC said in a statement provided to TransmissionHub on June 15, in light of the CRASHOVERRIDE malware framework that was disclosed in a recent report by the cybersecurity company, Dragos Inc.
According to that report – which Dragos released on June 12, and can be found on the company’s website – Dragos was notified by the Slovak anti-virus firm ESET of an industrial control system (ICS) tailored malware on June 8. The report noted that the Dragos team was able to use that notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that that was the malware employed in the Dec. 17, 2016, cyber-attack on the Kiev, Ukraine transmission substation, which resulted in electric grid operations impact.
Discussing key takeaways, the report noted that the malware self-identifies as “crash” in multiple locations, thus leading to the naming convention, “CRASHOVERRIDE,” for the malware framework. According to the report, CRASHOVERRIDE is the first ever malware framework designed and deployed to attack electric grids; the fourth ever piece of ICS-tailored malware – following “STUXNET,” “BLACKENERGY 2,” and “HAVEX” – used against targets; and the second ever to be designed and deployed for disrupting physical industrial processes.
CRASHOVERRIDE took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET did, and it leveraged the “OPC protocol” to help it map the environment, as well as select its targets similar to HAVEX, the report said. CRASHOVERRIDE targeted the libraries and configuration files of human machine interfaces (HMIs) to understand the environment further and leveraged HMIs to connect to Internet-connected locations when possible as BLACKENERGY 2 had done, the report said.
CRASHOVERRIDE is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact, the report said, adding that in that way, the malware can be immediately re-purposed in Europe and portions of the Middle East and Asia. CRASHOVERRIDE is extensible and with a small amount of tailoring, would also be effective in the North American grid, the report said.
While the malware could be leveraged at multiple sites simultaneously, the scenario is not cataclysmic and would result in hours, potentially a few days, of outages, according to the report, which also noted that Dragos tracks the adversary group behind the malware as ELECTRUM.
The report noted that reliability in the United States, for instance, is reinforced with regular training and events such as the North American grid’s GridEx, where grid operators train for events from hurricanes to terrorist incidents and cyber-attacks, and how they will respond to such outages.
“There is constantly a balance that must be understood when referring to grid operations: yes, the systems are vulnerable and more must be done to understand complex and multi-stage attacks, but the grid is also in a great defensible position because of the work of so many over the years,” the report said.
Regarding defense recommendations, the report said, for instance, that robust backups of engineering files such as project logic, intelligent electronic device (IED) configuration files, and ICS application installers should be offline and tested – that will help reduce the impact of the wiper functionality.
Information sharing remains ‘key tool’
The North American Electric Reliability Corporation (NERC), in a June 12 statement, said that it is aware of the vulnerability discovered in Ukraine that has the potential to impact industrial control systems.
“To date, there are no reported instances of the malware in North America,” NERC said.
The Electricity Information Sharing and Analysis Center (E-ISAC) – which routinely monitors all threats to the grid and provides alerts to industry as needed when new or continuing threats emerge – has shared information with industry via the E-ISAC secure portal, NERC said, adding that a public Level 1 NERC alert is being developed and will be shared as soon as possible. The previously shared “Ukraine Defense Use Case” report will be updated accordingly, NERC said.
“Cyber threats are constantly emerging and changing, therefore our efforts must also allow for flexibility and quick response,” NERC said.
NERC noted that its mandatory and enforceable security standards, including security management controls and authorized personnel and training controls; network segmentation; and the use of licensed anti-virus software, work to protect against the dynamic cyber threat environment.
Information sharing continues to be a key tool and NERC’s E-ISAC has long been at the forefront of cyber intelligence sharing, NERC said.
“There is no question that cyber threats like the one in Ukraine are real and that constant vigilance is needed to protect the reliability of the North American grid,” NERC said. “NERC and industry remain committed to the security and reliability of the North American bulk power system.”
In a June 15 media release, James Merlo, vice president and director of Reliability Risk Management at NERC, said that NERC’s “State of Reliability 2017” report found that the bulk power system provided an adequate level of reliability last year.
NERC said that the independent review of the bulk power system is based on analysis of data and metrics, which enables NERC to examine trends, identify potential risks to reliability, establish priorities, and develop effective mitigation strategies.
NERC said that among other things, the report found that while there were no reported cyber or physical security incidents that resulted in a loss of load in 2016, cyber and physical threats are increasing and becoming more serious over time.
The IRC, in its statement provided to TransmissionHub, said that its members – which, according to its website, are the Alberta Electric System Operator, California ISO, Electric Reliability Council of Texas, Ontario Independent Electricity System Operator, ISO New England, Midcontinent ISO, New York ISO, PJM Interconnection, and Southwest Power Pool – are aware of the CRASHOVERRIDE framework disclosed in the Dragos report.
“We agree with sentiments expressed in the North American Reliability Corporation’s (NERC) statement: that the continuously evolving cyber threats to our industry require a concerted response to ensure the continued security and reliability of the power grid, and that security programs must continue to reflect more than that which is required by current standards,” the IRC said.
The energy industry is the only industry required to meet federal standards directed by FERC and developed under the leadership of NERC, the IRC noted.
“We have and will continue to partner with state, local, regional, provincial and federal governments in Canada and the United States, NERC, the Electric Sector Coordinating Council, utilities, and academia to stay ahead of continuously advancing threats,” the IRC said.
Specifically, the IRC said that its committees and working groups collaborate with organizations including NERC’s E-ISAC, as well as local, state, regional, provincial and federal agencies in Canada and the United States, including Public Safety Canada, the FBI and Homeland Security, to ensure that all ISOs/RTOs are secure and prepared to act in a cyber emergency.
NERC biannually directs coast-to-coast GridEx drills, which give all utilities the opportunity to coordinate responses to simulated cyber and physical attacks on electric and other critical infrastructures across North America, the IRC said, noting that GridEx is planned and executed with input from local, state, regional, provincial and federal government agencies in Canada and the United States, including the FBI and Homeland Security on the federal level and appropriate state and local agencies with which ISOs/RTOs coordinate on cybersecurity matters, as well as ISACs and supply chain organizations.
On a more frequent basis, individual ISOs/RTOs are routinely involved in regional, provincial or statewide exercises conducted throughout North America, thus ensuring opportunities for organizations to verify their readiness to respond to and recover from cyber and physical attacks, the IRC said.