By Dragos, Inc

In recent years, there has been a continual rise in sophisticated cyber attacks on electric infrastructure globally with the intent of causing significant operational disruptions. 

For example, the cyber attack on three power companies in Ukraine in December of 2015 marked a revolutionary event for electric grid operators. This attack was the first known instance of a successful disruption of electric grid operations, resulting in over 225,000 customers without power for upwards of 6 hours until manual operations could restore power. In December of 2016, the second publicly-known ICS-targeting malware, CRASHOVERRIDE, was the first malware framework to target a transmission substation, causing an outage in Kiev, Ukraine. ELECTRUM, the threat activity group responsible for CRASHOVERRIDE, is one of six public threat activity groups Dragos tracks that specifically target electric operations (with nine total targeting industrial organizations globally). 

This progression of attacks is important, not only because electricity is a vital component of our everyday lives, but also because it demonstrates attackers are learning and evolving from the codification of tactics and tradecraft used in previous industrial cyber attacks to create more sophisticated, tailored attacks on electric operations, as well as industrial operations as a whole. 

Brief History of Industrial-Focused Incidents  

  • STUXNET: A computer worm that caused substantial damage to Iran’s nuclear program. This is the first confirmed example of ICS-tailored malware leveraged against a target. STUXNET exhibited a detailed understanding of the targeted industrial environment and specific physical process.
  • Dragonfly/HAVEX: An espionage effort that targeted over 2000 industrial sites–with a large emphasis on electric power and petrochemical asset owners–leveraging the OPC (OLE for Process Control) protocol to map out industrial equipment and devices. The Dragonfly campaign demonstrated knowledge of how to survey and enumerate ICS-specific networks for information gathering.
  • BLACKENERGY 2: ICS-tailored malware aimed at exploiting internet connected HMIs to gain access to a central location in the ICS to learn the industrial process and gain the graphical representation of that ICS. BlackEnergy2 took the innovations from Dragonfly and HAVEX further by building in capability to exploit and gain access to ICS-specific equipment via equipment vulnerabilities.
  • Ukraine Cyber Attack 2015: Adversaries leveraged the BLACKENERGY 3 malware to gather credentials and other information facilitating access to the corporate networks of the power companies and then pivot into the ICS network. Once within the ICS environment, the attacker leveraged access and knowledge of the utilities to manually manipulate electric utility operations to produce an outage, followed by a disruptive attack to delay recovery.
  • Ukraine Cyber Attack 2016/CRASHOVERRIDE: CRASHOVERRIDE was a culmination of the evolving sophistication of industrial-focused tradecraft–understanding and codifying the knowledge of the industrial process to disrupt operations as STUXNET did, leveraging the protocol-specific understanding and communication similar to HAVEX, targeting ICS systems via exploit (Siemens SIPROTEC protective relays) as BLACKENERGY 2 did, and combining all of this knowledge to execute an electric-disruptive event similar to the Ukraine 2015 attack.

CRASHOVERRIDE marked an advancement in capability of adversaries who intend to disrupt electric grid operations, and it confirms they are getting smarter, expanding their ability to learn industrial processes, and codifying and scaling that knowledge. Though this poses a challenge for those tasked with protecting industrial networks within electric utilities, it is one that is addressable and achievable through a comprehensive, intelligence-driven approach to industrial security. 

The Dragos Platform helps secure electric utilities’ industrial control system networks by providing comprehensive visibility, threat detection, and response via intelligence-driven analytics and the codified knowledge of the industry’s most experienced team of ICS practitioners throughout its three components:

  • In-depth asset identification: Deep packet inspection of ICS protocols and beyond, coupled with the ability to track asset changes over time and enable historical timelines of each asset’s status, helps analysts determine if changes in their environment are non-malicious or malicious. Analysts can also create baselines of their environment to compare to later or create complete historical timelines that are dynamic to compare at different points of time, which is especially valuable to support investigations and incident response. 
  • Intelligence-driven threat detection: The Dragos Platform is routinely updated with the newest threat behavior analytics, derived from the tradecraft of adversaries from the Dragos ICS threat intelligence team, which currently tracks nine ICS threat activity groups, with six publicly known to specifically target electric utilities: RASPITE, ELECTRUM, DYMALLOY, XENOTIME, COVELLITE, and ALLANITE. The tactics, techniques, and procedures of these threat groups are codified into analytics and fed into the platform for the industry’s most accurate and rapid threat detection capabilities. To learn more about Dragos’ unique ICS threat intelligence or request a free 30-day trial, visit https://dragos.com/worldview/
  • Expert-guided investigation and response: Investigation playbooks are custom-authored by our services’ expert team of ICS hunters and responders and include step-by-step guidance to enable analysts to start down efficient paths to respond to potential threats–reducing the time to act if a threat is discovered and increasing the effectiveness of their response.

To learn more about how the Dragos Platform helps protect electric utilities, visit https://dragos.com/comprehensive-ics-security-for-electric-grid-operations/ or read our case study about how Dragos’ technology deploys in electric environments.