Ukrainian Power Plant Attack from Access Management Perspective
- Cyber Attack on SCADA ICS Environment, SCADA ICS Security, Ukrainian Power Outage
In late December last year, the SCADA ICS cyber attack caused the power outage in Ukraine. Some technical analysis mentioned that the root cause of the outage was due to malware infected to the Industrial Control System through spear-phising emails sent to employees. These emails contained malicious macros that if enabled then it will download and activate trojan to the infected system, allowing more malicious modules to come in order to execute the goals. Some more detail cyber attack analysis can be found from several technical organization that has more capability to report deep detail of malware analysis. This posting is not intended to do this type of detail malware analysis.
By seeing this case from the access management perspective in SCADA ICS security assurance, at least we can find three root causes of the operational practice that can be fixed to avoid similar incident happens. The security controls against these root causes are pretty much simple and cost effective to maintain without requiring any high technology deployment, but surely it is process takes time especially to develop the people awareness and understanding. The root causes and their security controls recommendation are as per the following list:
1. The segregation of removable media for Personal, Business and SCADA ICS purposes. This point is important since the segregation of using USB, DVD, portable hard disk and any type of removable media should adhere to the segregation of the purpose itself.
The SCADA ICS environment in this case is having the highest risk exposure compare to Business and Personal due to it is controlling and monitoring critical process that related to safety operations of the plant. Therefore the usage of any type of removable media on this environment should be made specific, managed, controlled and audited in term of its AAA and security posture. In the simple way, please use specific removable media for SCADA ICS, do not mix it with any Business and Personal purpose. The removable media management and periodic review will then needs to be covered under specific policy to make the people aware and understand against the requirement.
2. The second root cause is “do not install and use any software that has no relation with SCADA ICS purpose”. We need to make clear here that even email access should not made available in any kind o SCADA ICS environment, due to this platform access can open to so many vulnerabilities and threats to the environment.
The segregation of SCADA ICS, Business and Personal usage also applied to the usage of any kind of applications and softwares. Clearly defined SCADA ICS applications and softwares and their interdependency access should already developed and maintained prior to the operations phase. Uninstall and banned access to email platform and internet access in any platform are the default things to do to help ensuring the secure SCADA ICS environment. Please use Business computing devices as the tools to send/receive emails or to browsing the internet instead of using any SCADA ICS computing devices. If using Business computing devices for any SCADA ICS environment is prohibited, it means the usage of Personal computing devices is more strictly prohibited since the control management usually is less secure compare to Business computing system.
3. The last root cause is “develop and implement the policy to govern the usage of Removable Media and User Authorized Activities in SCADA ICS environment”. Any technical capabilities and experience will not running properly without written regulation, and security policy is one of the way to properly govern the usage and management of the removable media and user authorized activities.
The removable media in SCADA ICS environment should be specific and not mixed with Business and Personal usage. The use of this removable media in any SCADA ICS environment should also be controlled and monitored, such as scan and rescan prior and after connected to the environment. Meanwhile the user authorized activities policy in SCADA ICS environment should cover such as dos and don’ts for every SCADA ICS access and usage activities, example given internet access and email activities in SCADA ICS environment. The spear-phising email sent to your business account while it is being accessed directly via SCADA ICS host station, it will cut off some steps of cyber attack process, and speed up the expected goal of the hacker intention.
Access management is a broad term to cover so many entities in relation with SCADA ICS security assurance. The above root causes and their security controls are part of the recommended action items that can help the organization to ensure its SCADA ICS security assurance.