17 June 2017

A Cyber-Weapon Warhead Test

By Nicholas Weaver

The Daily Beast has a story on “CrashOverride”, a computer program best described as transient anti-infrastructure warhead designed to disrupt the power grid. It was tested live against a Ukrainian substation in December 2016 creating a small blackout. Kim Zetter has another good report at Motherboard, and Dragos has the technical details. 

Dragos attributes the attack as conducted by “ELECTRUM”, a group it assesses as being associated with Sandworm—an evaluation that is only slightly better than rolling attribution dice. It is probably more accurate to phrase the attribution as “probably Russia, and probably affiliated with the previous Ukrainian power grid attack in 2015.” (The December 2016 attack was the second assault on the Ukranian power grid.)

The payload of CrashOverride is rather elegant in its simplicity; in a way it’s reminiscent of how a toddler might sabotage the lights at home. Once CrashOverride is running on a control system, it begins by mapping out all the circuit breakers. Once the payload knows where all the switches are, it can launch the primary malicious attack, either by turning off all the switches or—potentially more catastrophically—by repeatedly flipping them on and off until the substation in question is isolated. 

The first type of attack—simply turning off the lights—was reportedly used in December 2016 to cause a small blackout in Ukraine. There is also evidence of additional attack scenarios designed to disrupt safety systems implemented to prevent cascading failures from equipment damage or a spreading blackout.

Although the attack didn’t affect many customers it did represent a significant advance over the previous attack in 2015. The 2015 attack affected far more customers but represented a manual intrusion: the attackers gained control of systems, hand-mapped out their targets, and then disrupted the power using the information gained.

Unlike the 2015 attack, the December 2016 incident was not a manual operation but rather an automated test. It was the program, not the people, who map out the control points needed to shut down the particular power substation. It could work unchanged on many power grids and adapting it to the U.S. power grid would only require changing the communication protocol. Dragos’s description of a modular design suggests that it is explicitly designed to be retargeted in this manner.

This almost certainly represents what I would describe as a “Warhead test,” which aims to see if a malicious payload works. Blacking out a single substation is not a particularly serious threat, but the same payload launched against more numerous systems would be effective is an attacker wanted to blackout an entire country. 

In terms of effect the design brief seems to be effectively equivalent to the reported U.S. military BLU-114/B “Blackout Bomb”. This munition, which was reportedly used in the Serbian air campaign in 1999 to disrupt power to 70 percent of the country, acts to temporarily short out the power grid by spreading conductive fibers over an open substation or generator. So think of this as a Blackout Bomb, just without the need to fly a physical munition over each targeted substation. 

Concern about this attack is not mere hype. Security researchers have long feared attacks on SCADA (Supervisory Control and Data Acquisition) systems, the computers that run our power grids, our oil refineries, our chemical plants, and the other critical industrial systems. Human tampering, such as the Ukranian power grid attack in 2015 or the 2000 attack on an Australian water services plant, are bad. Targeted automated attacks customized for specific infrastructure like Stuxnet are worse, however, as they are designed to defeat air-gap protections.

CrashOverride represents the first-in-the-wild case of a generic automated attack: one that is designed to affect all systems of a given family, not just a particular installation. Many experts privately worried about such attacks but were reluctant to publicize those fears because it might encourage attackers. Now that someone has demonstrated the effectiveness, the security community will be more inclined to speak openly. If someone were to couple this warhead to a self-propagating worm for delivery, it could constitute a global threat.

Safety in a control system is a global property, one defined by a configuration of all the switches, valves, and levers. A single switch may be unable to recognize if it is safe or not, which means that one switch must respect the commands from the control system. Likewise, the control system that set the switches must be aware of all switches. This means that, once a malicious payload is running on a control system, it has the ability to discover and randomly set all the switches.

Imagine a young child randomly flipping switches in an oil refinery or power substation. The best case scenario would be if some independent safety systems kicked in to shut things down in a mostly orderly manner. Now imagine if the “child playing with switches” scenario occurred at a hundred different places at once.

This kind of threat used to be only a theoretical danger—the kind experts might postulate exists, but didn’t have real proof for the extent of risk. CrashOverride changes this. Its capabilities aren’t all that notable; what is remarkable is that it is possible (reasonable even) to write a payload that is capable of crashing the attached section of the power grid. And it is scary that someone wanted to test it in the wild.

The way the modern supply chain operates amplifies this danger. We have built too many systems optimized toward efficiency and, in that process, assumed that failures were random. For example, if a critical component in a pipeline pump fails there is a spare part sitting in a warehouse ready for delivery. That works fine as long as failures aren’t coordinated. But that assumption that will likely fail in the event of a widespread SCADA attack. An attack against a single substation that damages a critical components is relatively easy to recover from when the spare parts are already waiting and ready for delivery. But if the same component fails on a thousand substations and there is not a reserve of parts, the power might be out for days or even weeks.

Finally, while this attack would be easier for a nation-state, it is actually something an independant group could accomplish. A group of highly creative and motivated programmers could develop a highly effective payload, though national support would greatly improves logistics both in terms of purchasing test systems and providing safety and security for a development team. But the nation-state advantages exists as much for a North Korea as they do for Russia--the gains are not necessarily a function of country size but one of government protection and funding.

The United States and NATO allies are particularly vulnerable to this kind of attack, and our most likely adversaries could clearly develop this sort of capability. There continues to be a lot of work to be done in understanding and defeating these attacks, and in ensuring robust systems are actually deployed.

We also need to design more resilience into our day-to-day lives. In many ways, the consequences of widespread SCADA attack might look quite a bit like the aftermath of a hurricane or major earthquake—though the disruption is more likely to be spread around the nation and not isolated to a smaller region. In many regions, Americans already know they must be prepared for a week or two of emergency supplies to withstand an earthquake, hurricane, or blizzard. CrashOverride should inspire those who live in more stable climates to start making similar preparations as well.

No comments: