Security firms Dragos and ESET on Monday highlighted a new malware framework, CrashOverride, which targets industrial control systems to take down electric grids.
U.S. infrastructure security firm Dragos alleged that this malware was used in a cyberattack that briefly shut down power in parts of Kiev, Ukraine in December.
"[CrashOverride] marks an advancement in capability by adversaries who intend to disrupt operations and poses a challenge for defenders who look to patching systems as a primary defense, using anti-malware tools to spot specific samples, and relying upon a strong perimeter or air-gapped network as a silver-bullet solution," said Dragos founder Robert Lee in a report. "Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt."
CrashOverride uses two backdoors to manipulate settings on electric power control systems. The malware also features a component for erasing critical system files and a port scanner that helps hackers map out infected networks.
The malware contains four modules that are specific to industrial control systems and exploits four protocols in these systems – IEC 101, IEC 104, IEC 61850, and OLE for Process Control Data Access.
CrashOverride is similar to Stuxnet, another malware, first identified in 2010, that is targeted for industrial control systems. Lee stressed that the malware is capable of taking down a grid for a few days – but it is not powerful enough to bring down a country's grid. The malware is also designed to disrupt service, not destroy equipment as previous industrial control system malware Stuxnet had.
There are several steps that industrial vendors can take to protect their industrial control systems, according to Dragos. Electric utility security teams should have a clear understanding of where and how the various targeted IEC protocols are used. Similarly, malware can be detected if utility companies take steps to monitor their network for abnormal traffic.
Finally, customers need to prepare incident response plans for this attack that map out the appropriate teams in engineering, operations, IT, and security around their systems.
Many customers with industrial control systems are unprepared for security attacks on connected devices, said Marc Harrison, president of Silicon East, a Marlboro, N.J.-based solution provider that specializes in building automation.
"These devices will never be made secure because manufacturers are not in the [IoT security] business," he said. "There will be far more devices on the internet in the future, and this problem will only grow exponentially. In industrial automation, it's not just about taking machines down – the kinds of attacks possible are endless. Hackers can get very creative."