What you—yes, you!—can learn from the Ukraine power attack

Cybersecurity experts offer advice on how to keep a hacker out of your computer—especially if you work for a power company.

First question—do you work for a power company?

Second—do you use the Internet?

If you answer yes to either question, then you can learn from the cyber attack in Ukraine that caused trouble for energy companies there and may or may not have shut down power to hundreds of thousands of people.

It turns out, you and your co-workers may be the weakest link in the chain, opening the door for hackers to plant malware on your computer and in your company’s system.

“The failure of even one employee can allow a successful attack,” said Patrick Coyle with Chemical Facility Security News.

Researchers say they found malware on the system of energy companies affected in Ukraine, malware that wormed its way in through e-mail to people at the company.

“The biggest observation I can make is that infection and transmission of malware is generally unintentional, conducted by those who believe in their hearts they are doing the right thing and who are unaware of the risks of certain activities,” said Michael Toecker with Context Industrial Security.

Stop the mindless clicking

A recent survey by Kaspersky Lab found that there is a lot of room for disaster.

“When it comes to trusting their ‘friends,’ a quarter (26 percent) of those surveyed would have no hesitation to click on a link sent by a friend without asking what it is, or considering that the sender’s account could have been hacked,” reported SC Magazine.

“Most of the things that organizations can do to prevent a successful phishing attack rely on ordinary employees to take proactive security decisions every day,” said Coyle.

“This means that effective and repeated training must be conducted for everyone with access to a company network, either by corporate computers or personal electronic devices,” he said.

High risk

If you work at a power company, the stakes may be high.

“Utilities and other owners of infrastructure should ensure they are monitoring incoming emails for malicious emails, and are training their users—especially those with control system access—on recognizing signs of maliciousness,” said Toecker.

It is not just utilities that need to worry about a Ukraine-style cyber attack. The same types of control system equipment are used by many different industries, Coyle said.

“Another critical infrastructure community that should pay particular attention to this situation is the chemical industry,” he explained. “Particularly facilities that have large amounts of toxic inhalation hazard chemicals on site.”

“An electric outage of a couple of days is a problem that many people deal with every year due to storms,” he said. “A major release of a toxic chemical like chlorine gas could immediately kill or injure large numbers of people.”

What should companies do right now?

Review your security systems, advised the Electricity Information Sharing and Analysis Center, in a confidential document to utilities.

“Stay calm,” said Chris Blask, director at the Cyberspace Research Institute and chair of the Industrial Control System Information Sharing and Analysis Center. “There isn’t any dramatic action you’re going to take in the next five seconds.”

First, he said, find out what information you can about the attack.

“What was it, how does it apply to us, can I find out what it was, is it an imminent threat?” asked Blask.

That requires knowing your company’s actual infrastructure, inventory, device makes and models, and how your equipment behaves, he said—in other words, your company’s awareness of what its equipment is, what it does, and how.

Here is the bad news.

“Every organization should be in a position to do that,” Blask said. “Most aren’t.”

Awareness

The awareness numbers are better for power companies, Blask said. He said the percentage of utilities with this knowledge is in the ‘high 90’s.’

His organization has been working with companies and government agencies in Ukraine to raise levels of this awareness, and to encourage organizations to share information about attacks so that there are fewer victims, along with other cybersecurity issues. He said the country has a need to develop tech leadership skills.

“Do I know the behavior of my infrastructure?” he asked. “We, as a nation, should know.”

Your next step

There are steps companies using industrial control systems should be taking to keep attackers out, cybersecurity experts say.

“Compartmentalize the important stuff,” said Patrick C. Miller with Archer Security Group.

That way, an employee clicking on a tainted e-mail—as researchers say may have happened in the Ukraine attack—should not have the same impact.

“One must not mix computers used for general purpose–email and such—with computers used to program/control or otherwise interact with ‘critical systems,’” said Andrew Mazurek, a Toronto-based cybersecurity professional. “Your network architecture/separation reduces potential exposure and slows down attackers.”

How to do it

Create a “demilitarized zone,” or DMZ, Miller said.

A DMZ is a controlled zone between two networks.

Move anything that is not absolutely required to manage your operational environment, like printers and workstations with e-mail or Office products, into the DMZ, outside of the “highest trust” zone—the operations network, he said. 

“If, for example, you need Excel to model some operational conditions, use a replicated copy of the operations data on a workstation with MS Office within the DMZ,” Miller said. “Then get MS Office, anything Adobe, Java and other regular or known highly-vulnerable software, out of the ‘highest trust’ operations network entirely. Follow up with uberlogging, whitelisting, system integrity and network security monitoring everywhere you can.”

“Strip it down, shrink wrap it, and don’t break the seal,” he added.

Costs of a more secure architecture

Creating this secure network architecture is not the least expensive or most operationally-efficient option, said Miller.

“But, it’s cheaper than an outage and being the global poster-child for a cyber incident,” he said. “Chances are, you’ll even minimize ‘accidental’ problems with this model as well.”

Moving from zone to zone

Cybersecurity experts say utilities and other “owners of infrastructure” should have controls in place to prevent the transfer of data from their office environment into the control environment—except under very specific conditions governed by a cybersecurity policy.  

“If you’re placing data/programs into your control system, have a good understanding of what it’s supposed to do, and follow a validity check process,” said Toecker.

He said anti-virus programs are becoming less and less reliable, but the data should still be scanned by anti-virus, preferably from multiple companies.

“An integrity check via digital signature or SHA-256 hash should be performed to validate that the file originated from the source, and wasn’t maliciously modified in transit,” Toecker added.

“Lastly, files should be tested in a sandbox-type environment to see what behavior is exhibited, and if it conforms to expectations,” he said.

A new kind of on-the-job accident

Workplace safety is moving in a new direction, according to cybersecurity experts.

“We used to have a problem with safety culture in this country,” said Toecker.  “Once upon a time, an employee could arrive at site for industrial work, and stand an unacceptable risk of having a life-altering accident.”  

“Now we are challenged in cyber security, where an employee could arrive for work, answer an e-mail, and introduce malware that allows attackers into the company,” he said.