The European SPARKS project has developed solutions to address malware threats to control systems in the smart grid.
For the utility sector, Crashoverride, or Industroyer as it also was named, should be the ultimate wake up call on security, if any further are needed.
Taking its name from its self-identifying ‘crash’ in multiple locations, Crashoverride is the malware framework identified as that used in the widely publicised cyber-attack on Ukraine’s electric grid in 2016.
“Crashoverride is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact,” states a white paper from security company Dragos, following an investigation at the request of the Slovak anti-virus firm ESET.
“The functionality in the Crashoverride framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages.”
While Dragos rates Crashoverride as “not cataclysmic” as it would result in “hours, potentially a few days, of outages, not weeks or more,” it is nevertheless of great concern.
Crashoverride is the first ever malware framework designed and deployed to attack electric grids. It is also the second example, after Stuxnet in 2010, of a malware targeting industrial control systems.
And the worry is that in the longer term these types of threats are going to play increasingly into the physical domain, Paul Smith, Senior Scientist at the Austrian Institute of Technology (AIT), told Engerati in an interview.
“At present operators are having to deal mostly with ransomware type attacks and encrypting of disks but we are starting to see evidence of the problem migrating towards SCADA and other systems that control physical processes,” he says.
“In the Ukraine case, there was no financial incentive for the threat actor but it is easy to imagine a future ransomware capability focused on physical processes.”
As the coordinator of SPARKS, Smith has been working on this very issue. With a focus on the smart grid cybersecurity and specifically the impact on industrial control systems and the physical processes they control, this three-year European project is now close to being wrapped up.
“At the time we established the project Stuxnet was well established, and we wanted to explore the potential for this sort of threat and what it would look like with the advent of smart grids,” he says.
In order to guide the project, a multi-stage demonstration was developed in which the response of a set of photovoltaic inverters could be manipulated to mimic a cyber attack, for example by shutting them off or causing an over- or under-voltage.
“This had a dual purpose,” Smith explains. “On the one hand, it was a motivational piece for the sector to understand the systemic consequences of a cyber attack by seeing it in reality. On the other hand, it could form the basis for building out a response capability to that sort of threat.”
Another strand of the project was to focus on a guidance for the energy sector, drawing on the large number of guidelines, standards and other information appearing from organisations such as the Smart Grid Information Security Working Group in Europe and the National Institute of Standards and Technology (NIST) in the US.
Smith says that the aim has been to come up with solutions that are sympathetic to the cyber-physical nature of the smart grid and the threats that may occur.
One of these is the guidance on risk assessment, which represents an extension of the ISO 27005 risk management process and how it may be applied to support the development of secure architectures in the smart grid.
This phase of the project also included a GAP analysis, which Smith says highlighted an absence of approaches on incidence response.
“We found that the focus is primarily defensive and while things like encryption and firewalls are important, very little has been done on how an organisation such as a DSO should respond to a threat like the Ukraine incident,” he comments. “This is an important gap for future work.”
The project also produced technology solutions that can be implemented in the smart grid to detect and respond to these new threat types.
These include an intrusion detection system, which was developed from two aspects: one to detect attacks to SCADA systems and the second to detect anomalous data from smart meters.
They also include a control package which can be located near to or integrated into field devices, such as inverters, in order to support grid resilience.
“Both of these are unique,” says Smith. “And by combining them, when the control module knows the grid is under attack from the intrusion detection system, it is able to apply a more conservative set point and therefore minimise the impact from an operational point of view.”
Smith comments that an interesting point that emerged was that the full range of skills covering cybersecurity, control systems and power systems were needed in the project.
“Without one of these, we would not have been able to develop the capabilities we did.”
He adds that the work is continuing in several projects currently underway at the AIT Austrian Institute of Technology.
One of these is LarGo! with a focus on the large-scale deployment of new energy services. Another is VirtueGrid which is investigating the use of virtualisation as a basis for doing an adaptation, e.g. during power outages or doing configuration changes in the grid.
Work is also under way on physical unclonable functions, which are a new technology with the potential to authenticate devices such as smart meters and others in the grid but still requires five or more years of development.
“A key focus has been to build contacts with other research projects around Europe so that the findings can be adopted and extended,” Smith comments.
He also adds that further work is needed on standards and regulation to drive the uptake of solutions such as SPARKS’ intrusion detection system and resilient controller.
“The new energy system adds complexity, with utilities, aggregators, prosumers, etc. What are the interfaces and the responsibilities? These are key questions to securing the smart grid.”