More Sophisticated Ukraine Attack | The Top 20 Cyber Attacks on Industrial Control Systems #7 | iSi

Dig deeper - download the accompanying ebook here

OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 7 – More Sophisticated Ukrainian Attack
A group of attackers is more sophisticated with respect to cyber-attack tools and the engineering details of electric systems. The attack group phishes a low-volume remote access trojan (RAT) into the IT network, such as the BlackEnergy trojan that was reportedly found on IT networks of the utilities impacted by the Ukrainian attack but was not implicated in the attack. With the RAT, the attackers search for and find additional credentials, eventually compromising the enterprise domain controller. The attack group creates credentials for themselves and logs into ICS servers, reseeding their RAT on the ICS network and ultimately taking over equipment on the ICS network.Once inside the ICS network, the attack group connects to protective relays and reconfigures them, effectively disabling the relays. The group now sends control commands to very quickly connect and disconnect power flows to parts of the grid, damaging large rotating equipment such as the pumps used by water distribution systems. The attackers also redirect power flows in the small number of high-voltage transmission substations managed by the distribution utilities, destroying high-voltage transformers by overloading and overheating them.

These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware-enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision-makers who are not familiar with cyber-security.

At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.


Newsletter Signup