Reports of a late December cyber attack that caused a widespread power outage in Ukraine signal an escalation in the use of malware to disrupt critical infrastructure, and emphasize the need for a full-spectrum approach to security.
Ukrainian government officials attributed the December 23 power outage, which affected about 700,000 homes for several hours, to a remote access attack on industrial control systems of energy companies. If the blackout is confirmed to be the work of hackers, it will be the first documented case of a cyber attack that led to a loss of power, and an escalation of the use of malware designed to disrupt operations by deleting files to make systems un-bootable.
Black Energy Malware Identified
Malicious software known as BlackEnergy was found on the networks of the targeted Ukrainian power company Prykarpattyaoblenergo – the same malware used in a campaign that targeted U.S. power facilities in 2014. The Department of Homeland Security (DHS) has twice issued warnings about BlackEnergy malware, urging power companies to “isolate industrial control systems from the Internet using reliable defensive measures and sound authentication requirements,” stating, “If you’re connected, you’re likely infected!”
Disruption Attack Highlights Need for Security Planning
While the 2014 U.S. attacks appeared to be for the purpose of espionage, the Ukrainian attack was intended to sabotage or disrupt electricity providers. This highlights the need for a Continuity of Operations Plan, according to Natalie Lehr, vice president of analytics for Secure Halo. “How do you sustain your operations while in a reduced state? The speed of your response is dependent upon your ability to quickly effect a plan that involves the whole organization working together, and which also includes third party dependencies. Having that plan already in place provides clarity of vision.”
It’s significant that when Trojan malware deletes files, rendering systems inoperable, backup tapes are essential to “roll back and restore integrity to systems in order to recover faster,” adds Lehr.
Also notable about the BlackEnergy attacks is their method of delivery – through spear-phishing emails that contain an attachment with an infected document. While the attack approach is relatively simple, no operation of this type is conducted on a whim, says Mark Lopes, Secure Halo Director of Security Intelligence. He notes that countless hours of planning, targeting, searching for and finding weaknesses over time is involved. “A piece of technology purchased in 2015 is worthless against a potential adversary who has been planning for years to conduct an attack on an unknown date. They target weaknesses they are confident will exist regardless of technological changes between the targeting phase and the execution phase.”
Proactive Posture is Best Defense
What can asset owners take away from the 2014 and 2015 intrusions? That an enterprise-wide approach to cybersecurity will provide the best defense against an adversary that is constantly evolving its methods and is patiently probing for vulnerabilities, preparing for the moment to execute when the order is given. Consider the following:
- While deploying technical sensors to detect and respond to advanced persistent threats is good practice, it is not a panacea since threats change and the people implementing policy are fallible.
- Cybersecurity Insurance provides a backup to IT tools, systems and processes. While it can help offset liability and speed a company’s return to business, when approached as an offensive measure, insurance can be a significant part of a proactive risk management strategy.
- Security assessment as part of the underwriting process identifies vulnerabilities, both within an organization, and among third parties, such as vendors and partners. An assessment also informs the strategic planning process that enables companies to respond to and shorten an attack window.
- Boards of directors, the government, and the public increasingly demand that companies demonstrate mature security practices – and the resiliency that results from them. A comprehensive security assessment report captures security maturity and provides actionable recommendations to mitigate deficiencies – in essence, a roadmap for improved security.
U.S. companies can’t possibly expect to enact security protocols that will compete with sophisticated and constantly evolving adversaries. This is a lesson already learned by major retailers, health insurers and the financial sector. However, insurance combined with a comprehensive risk assessment provides the power of proactive risk mitigation.