2. Reconnaissance on the IT and OT networks and systems using the BlackEnergy malware, which was remotely controlled to collect data over a period of several months.
3. The attack propagated from the business network into the SCADA networks, which allowed the attackers to gain control over the power grid. The attackers gained remote access to the HMI which allowed them to remotely switch off breakers.
4. The attackers reconfigured the UPS devices responsible for providing backup power.
5. Finally, the attackers overwrote the firmware on some of the substation converters with malicious firmware.
6. The attackers also launched a denial-of-service attack against customer call centers to prevent customers from calling in to report the outage.
How can the IEC 62443 standard help us estimate the SL-A?
IEC 62443 is the most commonly-used international standard for cybersecurity in Industrial Control Systems (ICS). It provides a systematic and practical approach to cybersecurity for industrial systems. Every stage and aspect of industrial cybersecurity is covered, from risk assessment through operations.
ISA/IEC 62443-3-3 lists 51 system requirements (SRs) structured in seven foundational requirements (FRs). Each SR may be reinforced by one or more requirement enhancements (REs) that are selected based on the targeted security levels (SL-Ts), as follows:
- For each SR, verifying that the basic requirement and possible enhancements are met
- For each FR, the SL-A denotes the maximum security level common on all SRs in the FR.
- Each FR makes up a group of security requirements in the same domain:
- FR1 – Identification and Authentication Control
- FR2 – Use Control
- FR3 – System Integrity
- FR4 – Data Confidentiality
- FR5 – Restricted Data Flow
- FR6 – Timely Response to Events
- FR7 – Resource Availability
Thus, the overall SL-A evaluation denotes the maximum common security levels achieved on all FRs.
Evaluation of the SL-A
The Ukraine distribution network had several cybersecurity issues:
- Lack of IT network supervision, which allowed extensive network scans, vulnerability searches, and discovery of the allowed SSH link.
- Lack of strong authentication (2FA) or local (OT) approval of remote connections made it possible to frequently connect from the IT network to the OT network. This went on, undetected, for several months.
Lack of OT network intrusion detection allowed extensive OT network scans, vulnerability detection.
The following table (From ISA) represents the overall estimation of the seven FRs:

Which SL would have been required to prevent the attack?
Setting the SL-T at level 2 would have been enough to detect and prevent the attack with additional security controls such as strong/local authentication, anti-malware.
Conclusion
To summarize the takeaways of this cyberattack using IEC 62443-3-3 guidance:
- Power distribution utilities should aim for SL-T=2; but should also have several layers of defense, prevention, detection, and time for reactions in anticipation of the most sophisticated attacks.
2. It is best to aim for SL-T=3 since state-sponsored actors, normally aim for SL-T=3 or even 4 in their attacks.
3. Do not aim for SL-T=2 or 3 on some FRs if the SL-A is still zero on other FRs, as this would likely be useless.
Recommendations
The most important step in cybersecurity is the implementation of best practices for information resources management:
- Properly segment networks
- Ensure logging is enabled on devices
- Limit Remote Access
- Prioritize and patch known vulnerabilities
- Plan and train to incident response plans
- Implement Application whitelisting
- Configure updated rules in the intrusion detection system
Additional information about using YARA signatures can be found in the May/June 2015 ICS-CERT Monitor available at https://ics-cert.us-cert.gov/monitors/ICS-MM201506.
Credits: ISA, US-CERT, SANS, Patrice Bock, with the participation of Jean-Pierre Hauet, Romain Françoise, and Robert Foley