[SystemSafety] Ukrainian Electricity-Grid Malware Found "in the Wild"
Ignacio González (Eliop)
igtorque.eliop at googlemail.com
Mon Jun 26 10:16:18 CEST 2017
Right. I tend to forget the "part 5" part of the name. Parts 1 to 4 of the
standard are even more venerable.
El 25/6/2017 8:31, "Peter Bernard Ladkin" <ladkin at rvs.uni-bielefeld.de>
escribió:
> In Risks Forum 30.34 there was a pointer to an article in ars technica by
> Dan Goodin on malware used
> to attack the electricity grid in Kiev in 2015. This is apparently an
> automated advance on methods
> used by the same suspected group to attack the Ukrainian grid in December
> 2015.
> https://arstechnica.com/security/2017/06/crash-
> override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/
>
>
> Goodin relies on a report from security firm Dragos
> https://dragos.com/blog/crashoverride/CrashOverride-01.pdf . There is
> also a short report from Anton
> Cherepanov of Slovakian antivirus company ESET
> https://www.welivesecurity.com/2017/06/12/industroyer-
> biggest-threat-industrial-control-systems-since-stuxnet/
> Dragos credits ESET with notifying them of the existence of the malware.
> BTW, Dragos is incorrect in
> suggesting that 104 is an IEC protocol (see, e.g., Figure 1). There is an
> ETSI TS 104 specifying
> communication protocols for low-level devices in the so-called "smart
> grid" (unlike IEC standards,
> the ETSI standard is available for free on-line - reference below).
>
> The 2015 attack used some tools to wipe traces, but it was largely
> executed by humans. The short
> March 2016 SANS report can be found at
> http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_
> Ukraine_DUC_18Mar2016.pdf See the last
> paragraph of "Capability", on pp5-6, for the attribution of the outages to
> direct interaction with
> the adversary.
>
> The newer more-automated version includes exploits using standardised
> communication protocols for
> electricity-grid operations. Goodin says:
>
> [begin quote Goodin]
> The fluency in at least four international communications protocols used
> in electric grids is a
> testament to the "tradecraft" of Crash Override. The mastery means that
> the team that developed the
> malware had extensive experience with the way electric grid systems work.
> [End quote Goodin]
>
> I checked. IEC 61850 concerns "Communication networks and systems for
> power utility automation" and
> has 29 parts https://webstore.iec.ch/publication/6028 The first six parts
> alone incorporate almost
> 850 pages (I assume from experience that about a third of this will be
> boilerplate, but still it's a
> lot). ETSI TS 104 concerns "smart-grid" protocols
> http://www.etsi.org/deliver/etsi_ts/104000_104099/104001/
> 02.01.01_60/ts_104001v020101p.pdf Yes, it
> looks to me as though experience is required just to be able to find your
> way around these standards.
>
> PBL
>
>
>
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170626/d8b80df9/attachment.html>
More information about the systemsafety
mailing list