SANS Industrial Control Systems Security Blog

Thoughts on the ICS-CERT Ukraine Cyber Attack Report

Since the attack on the Ukrainian power grid on December 23rd, 2015 the SANS ICS team has been monitoring the situation closely and providing our analysis in concert with passionate individuals and companies throughout the community. Today, the ICS-CERT released a report confirming the attack and echoing some of the previously public attack details. However, there are a few things that I want to clarify and note ahead of the SANS ICS report which will publish next week.

First, the ICS-CERT report does not contain a lot of analysis. It stated that the ICS-CERT confirmed the attack. This, the report states, is from interviews conducted with personnel a month ago. The interviews that took place were very important but there was also technical evidence, that has already been made public, which explains more about the attack than just the interviews. As an example, the ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident. I understand their hesitation but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources. The malware however was not responsible for the outage. It just enabled the attackers as the SANS team and others in the community have said all along. There were other aspects of the attack that came across in their report without much clarity, these will be made clear in our upcoming report.

Second, the SANS ICS team had intentionally delayed our Defense Use Case 5 (Ukraine Report) for a month in an effort to coordinate the release with the government's statement. It is only right that the U.S. government make a clear statement first and then technical analysis follows it up to support their conclusions. However, where I believe there was a missed opportunity was for more senior levels of the government to confirm the attack much earlier on with the high level styled assessment the ICS-CERT made, to have the ICS-CERT provide more deep technical analysis, and to have private sector companies such as SANS, ESET, iSight, Mandiant, TrendMicro, and others that were involved to further complement that technical assessment with interpretations and analysis. When dealing with international incidents that set dangerous precedents, such as a clearly coordinated and intentional cyber attack against civilian infrastructure, there must be a more coordinated effort with messaging to a variety of audiences.

Lastly, the ICS-CERT put out some mitigation recommendations in the report. The focus on application whitelisting and patching infrastructure is misplaced. These are good starting places. However, nothing listed in the ICS-CERT report would have stopped the attack. The threat was a focused and persistent human threat that took months to learn their target and attack it with highly professional logistics and operational planning. They did and would have further adapted to whatever passive defenses that were placed in their way. Recommendations around limited VPN access, two form authentication, patching, etc. are really good places to start. They help build a defensible ICS. They buy defenders time and visibility. But they do not make the ICS defended. The only way to counter focused and persistent human threats is with empowered and trained human defenders. When a defensible ICS environment is combined with the active defense of trained and empowered defenders then not only is defense doable, it excels.

The SANS ICS Defense Use Case 5 will be published next week with our analysis. We will follow this up with other free resources to the community including webinars and training aides. I applaud the ICS-CERT for many things and believe their analysts and personnel to be highly passionate folks that I personally respect. It should be obvious I wish they would have done more and said things more clearly. However, they are a talented team that are working hard to help the community in all the constraints a large government affords them. When the next attack on civilian infrastructure takes place, and there will certainly be a next one, I hope that the government and private sector can appropriately control the narrative to give actionable recommendations in a timely manner and help note that there is no acceptable precedence for attacking civilian infrastructure.

Robert M LeeBio: Robert M. Lee is the course author of ICS515 - Active Defense and Incident Response and the co-author of FOR578 - Cyber Threat Intelligence. He is also the Founder, CEO of Dragos Security and gained his start in cyber security in the U.S. Intelligence Community as a Cyber Warfare Operations officer.


Posted February 25, 2016 at 11:28 PM | Permalink | Reply


I'm looking forward to the SANS ICS Defense Use Case 5 report for the more technical analysis of the incident.
Is there going to be more technical information about the malware that did cause the outage?

Posted February 28, 2016 at 3:03 PM | Permalink | Reply


The Defense Use Case series generally only provides context and understanding to what's been made public. However, in this case all the details are public and spread throughout various sources. BlackEnergy3 was used to harvest credentials but inside the network it wasn't malware that caused the outage ''" it was direct operation of the control system by human adversaries (i.e. interactive operations not malware).

Posted February 26, 2016 at 12:06 AM | Permalink | Reply

Raymond Parks

I also noted in my feedback that their generic recommendations were not labeled as such and their attack-specific recommendations (if any) were not labeled as such. Also, their recommendation for network separation from the non-ICS networks was not clear to me ''" perhaps they use a jargon unfamiliar to me. I've always recommended the use of a DMZ between the networks with one-way (outward from ICS) distribution of data relevant to outsiders. The same DMZ can be used for remote access ''" essentially requiring those who need remote access to the ICS to first get remote access to the corporate network and then use a remote access server in the DMZ with credentials specific to the ICS network. Also they said nothing about using serial-to-ethernet devices that do not allow everybody to update their firmware (which should also be true for all other ICS network devices).

Posted February 26, 2016 at 5:08 PM | Permalink | Reply

DM Hazael

I look forward to the DUC. One small detail regarding the use of legitimate credentials to access systems via vpn is interesting as it seems as though this access was unfettered. I'm kind of hoping this will put a nail in the coffin of the often proposed solution by some equipment vendors of simple uncontrolled vpn based remote access.

Posted February 29, 2016 at 3:04 PM | Permalink | Reply

Natasha Bishop

Thank you for sharing Robert. So now that it is confirmed what are we doing to ensure it does not happen again and cause more damage? And is the US ready for such an attack? We had a few experts discuss the likelihood of an attack on our power grid This is an issue that should really be top of mind and given critical consideration. No we don't need to sensationalize it but set a plan in place. The suggestion for utilities to shut off the internet may be a good start.

Posted March 7, 2016 at 9:23 PM | Permalink | Reply


Any word on when the Defense Use Case 5 (Ukraine Report) will be posted?
It's going on two weeks and I haven't seen any updates other than Robert's quotes in the recent Wired article.

Posted March 9, 2016 at 5:57 AM | Permalink | Reply


Defense Use Case 5 was suppose to launch when the Wired report came out but due to certain evolving sensitivities of the case it was delayed and is currently under review. We hope to be able to post it this month.