Researchers have discovered the malware capability used in the Dec. 17, 2016, cyber-attack on a Ukraine transmission substation that resulted power outages in Kiev. ESET, a Slovakian anti-virus software maker, and Dragos Inc, a U.S. critical-infrastructure security firm, released an industry report to inform the electric sector and security community of the potential implications of the malware.
The two firms said they did not know who was behind the cyber attack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame, according to a Reuters report. Still, the firms warned that there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.
The malware self-identifies as “crash” in multiple locations, and Dragos so named the framework "Crash Override."
The modules in Crash Override are leveraged to open circuit breakers on RTUs and force them into an infinite loop, keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations. Grid operators could go back to manual operations to alleviate this issue.
The malware appears to have not used all of its functionality and modules, according to the Dragos report, and it appears the Kiev transmission substation targeted in 2016 may have been more of a proof-of-concept attack than a full demonstration of the capability in the malware.
"There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites," said Robert M. Lee in a Dragos blog.
Crash Override could be extended to other industries with additional protocol modules, according to the Dragos report, but the adversaries have not demonstrated the knowledge of other physical industrial processes to be able to make that assessment anything other than a hypothetical at this point and protocol changes alone would be insufficient.
In fact, Lee indicated in his blog that the electric grid is "extremely reliable. Crash Override represents alarming tradecraft and the ability to disrupt operations, but the public must understand that the outages could be in hours or days not in weeks or months. The electric grid operators train regularly to restore power for similar sized events such as weather storms. The first thank you that needs publicly stated is to those men and women responsible for having put the electric grid into a defensible situation through their dedication to reliability and safety of electric power."