Top 5 Actions to Prepare for the Next CrashOverride-Style Attack

Imagine a major capital city with a population between that of Paris and Rome losing a large part of its electrical power a few days before the end of year festivities, all because of malware infection. This case is real. On December 17-18, 2016, Kiev, capital of Ukraine, suffered severe power outage. The indications are that the power cuts were caused by the CrashOverride virus (also known as Industroyer). However, Kiev may be only one of any number of targets. CrashOverride has been built to be easily adaptable to other power supply infrastructures in the world. It’s time to take defensive action.

Know Your Enemy
CrashOverride leverages industrial communication protocols used around the world to control electricity substation switches and circuit breakers. These protocols have little or no cybersecurity built in. CrashOverride therefore simply uses these protocols as they have been designed to be used. Its commands look like authentic messages, because that’s effectively what they are. This makes detection correspondingly more difficult. Designed as a toolset, the virus can potentially be adapted to disrupt water, gas, and other distribution networks, not just electricity.

CrashOverride, Step by Step
The virus operates in several phases. It starts with infection, using backdoors to contact a remote command and control server. Next comes discovery of the infected network and control system. After this, the malware attacks, directly controlling switches and circuit breakers. It also makes machines unusable and wipes system data to cover its tracks.

Top 5 Actions to Resist CrashOverride

1. Establish baselines for the use of industrial protocols used in your installations. For the power sector specifically, these protocols include IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OLE for Process Control Data Access (OPC DA). These are the protocols targeted so far. However, other protocols should be monitored, for instance DNP3, given the possibilities for attackers to extend and customize CrashOverride. Then compare protocol usage levels with baselines to detect possible attacker activity.
2. Segment your network to restrict access from the outside, including the Internet, especially for control system networks. Configure firewall rules to filter or block traffic to different segments. Use an intrusion detection system (IDS) to monitor traffic, using available rules and signatures to detect CrashOverride. For any necessary remote access, increase security for such access, for instance by using robust VPN access.
3. Make backups of network, system, and engineering files. These can include network and ICS (industrial control system) project plans, configuration files, and application installers. Respect the 3-2-1 backup rule, meaning make at least three copies of each piece of data to be backed up, using two different formats (different storage media), and storing one of those copies offsite. Test your backups too. Make sure that you can recover fully operational systems (with all necessary configurations and interconnections) from those backups. These precautions will help guard against the data wiping functionality in CrashOverride.
4. Prepare incident response plans for CrashOverride. Ensure that all stakeholders are involved in the design and testing of the plans: for instance, operations, security, IT, and engineering. Run table top exercises with these stakeholders to clarify roles and responsibilities, and to iron out any hiccups in containment, remediation, and recovery procedures.
5. Deploy network technology that allows you to control your network segments and network switches from a central location. Software-defined networking (SDN) can let you do this, offering reliable, high performance, affordable management and security. While this deployment may be a longer-term project, bringing in SDN compatible network components over time, it can fundamentally strengthen your industrial network security posture, protecting against CrashOverride and other threats.

CrashOverride represents a new kind of threat to industrial networks and control systems. Besides being considered by experts as the first malware built and used to attack electric grids, its framework design and possibility to carry payloads makes it doubly dangerous. The steps above, from the short term tactical for immediate defense to the longer term strategic for lasting protection, will help enterprises and organizations reinforce their security and reduce the risks associated with the specific threats such as CrashOverride and with cyberattacks in general.