Yesterday Dragos and a few other security vendors issued a report outlining a new piece of malware called CRASHOVERRIDE.
Essentially this malware after being loaded / loading onto an HMI will install additional backdoors and tools then execute a launcher and using the OPC protocol map the network on which it is located. It can then issue command utilizing modules for various industrial protocols, and then finally issue a command to wipe the HMI. Command issued via the protocols can results in rapid triggering of relays and a DoS attack by blocking communication via the HMI's serial port.
This can result in islanding of portions of the grid and general instability.
This sounds pretty bad but I have had a number of talks over time with craftsman and substation operations people about stuff like this. Their response has been consistent. If something like this attack were to take place they can take the network off line and use manual control.
In addition from what I have read this attack can be detected by noting unusual traffic on port 3128 and attempts to communicate with 4 or 5 TOR sites. It also appears that application whitelisting (one of the controls that appears on the CIS Top 20, ASD top 35 and IAD Top 10) would be helpful in preventing this attack.
All in all, worrying but not catastrophic.
(US CERT issued an alert that basically agrees with me)
No comments:
Post a Comment