By Liron Benbenishti, Cyber Security Researcher at Radiflow
If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
Introduction
On December 23, 2015, Ukrainian power suppliers experienced unscheduled power outages which impacted a large number of customers in Ukraine. In addition, there were also reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors.
Ultimately, the Ukrainian outages, which lasted several hours, affected up to 225,000 customers in three different distribution-level service territories.
In this post I’d like to analyze the attack using the ISA/IEC 62443-3-3 standard, which determines the actual security levels and evaluates the required security level that could have prevented the attack.
Analysis of the Attack
1.Initial access of the IT network took place using spear phishing-emails: the adversary delivered a targeted email with a malicious attachment that appeared to be sent from a trusted source to specific individuals within the organizations.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
2. Reconnaissance on the IT and OT networks and systems using the BlackEnergy malware, which was remotely controlled to collect data over a period of several months.
3. The attack propagated from the business network into the SCADA networks, which allowed the attackers to gain control over the power grid. The attackers gained remote access to the HMI which allowed them to remotely switch off breakers.
4. The attackers reconfigured the UPS devices responsible for providing backup power.
5. Finally, the attackers overwrote the firmware on some of the substation converters with malicious firmware.
6. The attackers also launched a denial-of-service attack against customer call centers to prevent customers from calling in to report the outage.
IEC 62443 is the most commonly-used international standard for cybersecurity in Industrial Control Systems (ICS). It provides a systematic and practical approach to cybersecurity for industrial systems. Every stage and aspect of industrial cybersecurity is covered, from risk assessment through operations.
ISA/IEC 62443-3-3 lists 51 system requirements (SRs) structured in seven foundational requirements (FRs). Each SR may be reinforced by one or more requirement enhancements (REs) that are selected based on the targeted security levels (SL-Ts), as follows:
Thus, the overall SL-A evaluation denotes the maximum common security levels achieved on all FRs.
The Ukraine distribution network had several cybersecurity issues:
Lack of OT network intrusion detection allowed extensive OT network scans, vulnerability detection.
The following table (From ISA) represents the overall estimation of the seven FRs:
Which SL would have been required to prevent the attack?
Setting the SL-T at level 2 would have been enough to detect and prevent the attack with additional security controls such as strong/local authentication, anti-malware.
Conclusion
To summarize the takeaways of this cyberattack using IEC 62443-3-3 guidance:
2. It is best to aim for SL-T=3 since state-sponsored actors, normally aim for SL-T=3 or even 4 in their attacks.
3. Do not aim for SL-T=2 or 3 on some FRs if the SL-A is still zero on other FRs, as this would likely be useless.
Recommendations
The most important step in cybersecurity is the implementation of best practices for information resources management:
Additional information about using YARA signatures can be found in the May/June 2015 ICS-CERT Monitor available at https://ics-cert.us-cert.gov/monitors/ICS-MM201506.
Credits: ISA, US-CERT, SANS, Patrice Bock, with the participation of Jean-Pierre Hauet, Romain Françoise, and Robert Foley
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3