The threat to industrial control systems from hackers is real!

Phoenix Contact has been working with customers in need of Cyber Security for over 10 years and has a deep understanding of Industrial Control Systems from machine building all the way up to major infrastructure projects. We have worked with RS components on many projects through-out the years.

We have heard of WannaCry, it has been widely reported in the Media. It was responsible for the takedown of most of the operational capability of the UK National Health System. This mostly affected Enterprise IT, but in the age of Industry 4.0 and IIoT (Industrial Internet of Things) it crossed over to Operational Technology (OT). Industroyer is a different animal all together.

Industroyer Stuxnet v4.0

Industroyer, also known as Crashoveride, was responsible for turning out the lights of almost 225,000 people in Ukraine on the 17^th December 2016. The attack that lasted 1 hour is now widely regarded as a large scale test of the malicious code.  Using the OPC Data protocol, this is used in power supply infrastructure, transportation and many other critical systems like oil and gas as well as water.

Industroyer was seen to be controlling substation switches as well as the main circuit breakers directly, so you can understand why this is being taken seriously by many companies, tech industry and governments alike. The problem is that the malicious code uses OPC exactly how it is supposed to be used, making detecting the code extremely difficult. OPC, developed in 1996 under the name OLE for Process Control, was built with the understanding that these systems would not be connected to the internet, so there were no security algorithms built into the protocol itself. Therefore the attackers did not need to worry about vulnerabilities in the protocol- just build the software code ‘to speak’ the OPC protocol.

Industroyer is the 4^th known successful Industrial aimed malware, the first being Stuxnet- a code originally built by the NSA to take down Iranian Uranium enrichment facilities. Then there was Havex,  built to target SCADA and ICS systems using a RAT (Not the Animal) a Remote Access Trojan written in php. Next was Blackenergy which also attacked a Ukrainian Power station in 2015 which used DDoS (Distributed Denial of Service) tactics to disable the ICS.

Industroyer is a complex malware that has several components which include:-

• Back Door
• Data Wiper
• 4 Payloads (IEC-101, IEC-104, IEC 61850 and OPC DA)

The 61850 OPC DA is the core component of the malware which allows the code to communicate with the circuit breakers and substation. The Industroyer backdoor allows the attacker to connect with the software and execute commands remotely- the server is hidden in the TOR (The Onion Ring) Network aka ‘The Dark Web’. This can be programmed to be active at specific times. The Data wiper is installed via the backdoor and is disguised as Microsoft WordPad or Notepad in a process known as Trojanizing. The Data wiper is there to hide the identity of the hackers but your program goes with it.

Researchers of ESET an anti-virus company and Dragos believe the attackers have a deep understanding of power producing networks and topologies, with understandings of its protocols and infrastructure. 

A report from Dragos states:

The CRASHOVERRIDE malware impacted a single transmission level substation in Ukraine on December 17th, 2016. Many elements of the attack appear to have been more of a proof of concept than what was fully capable in the malware. The most important thing to understand though from the evolution of tradecraft is the codification and scalability in the malware towards what has been learned through past attacks,” The report can be found here.

Phoenix Contact's Cyber security offerings can be found here. If you have any questions regarding our products please contact your local RS dealer / Sales Engineers for more information. 

For more Cyber Security News in Industrial Control systems follow Gareth Chamberlain, Phoenix Contact UK's Cyber Security Specialist on Twitter