The Cloud Is Not Quite As Robust As You Think It Is - No Power -> No Internet

After BA and Capita, we see that many companies are still vulnerable to an outage within their data centers. In Australia, Fujitsu has suffered a major outage which took our their cloud services for around five hours (from 9:24pm on 19 August 2017 to 3am the next day). The data centre was located in Sydney’s Homebush Bay, and it is likely that there will be a massive loss of data, including with over 1,000 unrecoverable virtual machines. Fujitsu defined it as a major incident and enacted a crisis management procedure.

The site has two 11KB ring-main fees and have diesel generations for an N+1 configuration, with many UPSs defined with N+1 configuration. So many are wondering how the large scale data loss and outage occurred? Often this problem relates to a small power failure in a key service, and which can cause the infrastructure to fail.

Large-scale power failure

Recently it was announced by the Wolf Creek facility in Kansas that at least 12 energy companies have been targetted by a cyber attack, and which included one nuclear power plant. While the attacks have been mainly on the administrative operation of the plants, there is a worry that attackers could target the control systems involved.

In a well-designed power plant, the control systems are strongly segregated from the administration network. Another report identified that intruders had tried to crack a Wolf Creek employee’s password and that there were traces of booby-trapped emails for password harvesting.

A large scale outage for a country could thus have devastating economic and social impacts. We often think that malware code will only affect software systems, but Stuxnet changed all this, with the opportunity of doing physical damage to equipment. With possible nation-state funded activities around the take-down of the power network, the risks have never been higher, especially in the creation of sophisticated and targetted attacks.

Ukraine attack

A cyber attack on the power supply network happened on an electrical transmission station near the city of Kiev (Ukrenergo), in December 2016, and resulted in a black-out for around 20% of the Ukraine population. Luckily it only lasted for one hour, but many think that it was just a test - a dry run - for a more sustained attack.

This attack has now been traced to the Crash Override (or Industroyer) malware. A previous attack on the Ukranian power infrastructure, in 2015, involved the manual switch off of power to substations, but the newly discovered malware learns the topology of the supply network - by communicating with control equipment within the substations - and automatically shutdown systems.

The company who analysed it (Dragos) think that it could bring down parts of the energy grid, but not the whole of it, and that the activation date of the malware sample was 17 December 2016. They also defined that the malware can be detected by looking for abnormal network traffic, such as looking for substation locations and probing for electrical switch breakers.

At present it is not known how the malware managed to get into the network, but many suspect it may have been sent through phishing emails (as with the 2015 attack). Overall Crash Override infected Microsoft Windows machines within the target network and then maps out control systems in order to locate the key supply points, along with recording network activity which can be sent back to the controls of the malware.

After the discovery phase, it is thought that Crash Override can load-up one of four additional modules, and which can communicate with different types of equipment (such as for Honeywell and Siemens systems). This could allow it to target other electrical supply networks within different countries.

Doing damage?

Another feature of the malware is that it could potentially damage to electrical equipment, and case a large-scale outage. With this the malware was seen to disable the Siemens Siprotec digital relay (see graphic on the right-hand side), and which is used to shut down electrical equipment if a dangerous surge is detected. The malware, though, sends a specially crafted data packet to the device, and then take it offline (where it requires a manual reboot to get it back online).

This shutdown would mean that if the electrical supply was overloaded, the system would not shut itself down, and could thus cause significant damage to the supply network. This type of damage could cause the whole of the supply network to trip, as it cascaded.

In the teardown process, the malware destroys all of the files it has infected and tries to cover its tracks.

Previously, in 2009, Stuxnet, thought to have been distributed by the US and Israel, was used to attack an Iran nuclear enrichment facility.

So what?

A study by Cambridge Centre for Risk Studies, for example, estimates that a large-scale power outage in the UK would result, in the worst case, of losses over five years of ￡442 billion from UK GDP. They conclude that the most plausible route would be to bring down the substations and cause blackouts for up to 13 million people, for several weeks at a time.

Tripwire recently surveyed 150 IT professionals in the energy industry and found that the number of attacks on their infrastructure were increasing, and that 77% of recent attacks had been successful in some way. Overall 68% said that rate of success in the attacks had increased by 25% as opposed to the previous month. For the source of the attack, 78% reported attacks from external sources, and 30% reported the attacks related to an insider (either someone working in the company or an ex-employee).

In conclusion, 83% of them thought that their companies were not confident in coping with a cyber attack. To create a balance they reported that 78% of them were confident that their organisations could detect sensitive and confidential information.

Jack Harrington, from Raytheon, tells it like it is, and that our electrical supply is: 

critical is to our daily comfort and ultimately our survival

and that they are vulnerable to cyber terrorists. He states the cases of power supplies being affected in the Ukraine, and by white hat hackers in the Midwest, where RedTeam managed to gain access to a number of electrical power stations (often using social engineering methods):

You can see how easy it was for the RedTeam to gain access to supply stations, and you worry that others with a more malicious intent could cause chaos in other countries. With no electrical supply data centers, ISPs, and all the other key services would fall like dominos. The attacks on SCADA systems, for example, has risen by more than 100% over the past year. A large-scale black-out in the North-East US in 2003 caused considerable problems, and where the power network was tripped by a fault on the lines.

Conclusions

Companies need to understand their key risks, and make sure they have the correct backups in place and setup redundant sites.