When we discussed Rhebo’s innovative approach to Germany’s new IT-Security Act (ITSA), real-world cyber attacks on the industrial Ethernet hadn’t truly come to fruition. It seemed like a critical infrastructure hack was still relegated to the over-blown plot lines of Bruce Willis’ Live Free or Die Hard.
Even as countries like Germany take proactive measures against industrial Ethernet threats, cyber attackers manage to find ways to stay ahead of the game.
As 2015 drew to a close, the world experienced its first true critical infrastructure hack—an attack on Ukraine’s power grid.
Putting the Ukraine Power Grid Hack in Perspective
We watch John McClane do his Die Hard job against a sophisticated set of critical infrastructure attacks and know it’s not real—especially when a car is launched in the air to take down a helicopter. But who knew how perceptive the 2007 film would be?
The Ukraine power grid hack is truly a watershed moment in the history of cyber attacks. This kind of attack is so unique and new to the cyber security community that security researchers are debating whether squirrels or hackers are more dangerous to critical infrastructures (hint: squirrels cause far more power outages than hackers!).
The December 23, 2015 attack could mark the beginning of the increasing vulnerability of critical infrastructures on a global scale. While intelligence agencies and the US Department of Homeland Security are still investigating the hack, it’s important for every networking and security professional to understand what we know so far.
>> Download Now: Full Duplex Capture In Industrial Environments [Free Whitepaper]
The Details of the Ukraine Power Grid Attack that We Know So Far
It was first reported that half of one Ukrainian region lost power inexplicably. However, Slovakian infosec firm, ESET, discovered that several energy companies were targeted simultaneously. The full picture of details regarding the Ukraine power grid attack is unclear for now. But for those trying to defend the industrial Ethernet, it’s important to understand the two key attack vectors used in the hack:
- BlackEnergy Trojan: According to Kaspersky Labs researchers, the BlackEnergy Trojan “is crimeware turned APT tool and is used in significant geopolitical operations…An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive plugins, a certificate stealer and more.”
- KillDisk Malware: BlackEnergy is threatening on its own, but researchers have discovered the Trojan is acting as a back door to deliver the KillDisk malware. KillDisk is a data deletion attack vector capable of deleting upwards of 4,000 different file types while also containing scripts that specifically threaten critical infrastructures.
We know that industrial network traffic is heavily regulated and that introducing foreign packets is absolutely prohibited—which is why these pieces of malware are so dangerous. Defending your industrial Ethernet from advanced malware requires a true visibility plane.
Passive Visibility Is the Key to Defending the Industrial Ethernet
Many cyber security measures have not been developed specifically for industrial Ethernet environments. Now that there is real-world example of an industrial Ethernet hack, it’s time for the industry to innovate and protect our critical infrastructures. The solution might seem to be a litany of active in-line security appliances throughout the network—but the network traffic restrictions make this an unfeasible approach.
Passive network TAPs are essential to industrial Ethernet connectivity because they are purpose-built, un-hackable and capable of enabling network monitoring without affecting traffic flow. According to Chris Sistrunk, TAPs are a great way to gain visibility into a network, both to look for evil, but to also detect misconfigurations and devices with firmware problems. Chris writes in detail in his, It's a TAP blog about the 4 Considerations when installing a TAP in ICS.
With passive network TAPs and the innovative solutions they are developing for the industrial Ethernet, companies can work towards defending themselves from a critical infrastructure attack like the one in Ukraine.
