The notorious BlackEnergy (BE) malware is once again a hot ...
Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection...
Transcript of Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection...
![Page 1: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/1.jpg)
Cybersecurity forEnergy Delivery SystemsMichael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory)March 28th, 2016
![Page 2: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/2.jpg)
2
Agenda
1. Event deconstruction
2. Mitigations
3. Discussion
UNCLASSIFIED
![Page 3: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/3.jpg)
Ukraine EventDecember 23, 2015
UNCLASSIFIED
![Page 4: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/4.jpg)
4
An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team(US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight.
Mike Assante and Tim Conway as DOE INL subcontractors added to the team by DOE to bring their electricity sector and SANS experience to bear on this critical incident.
This briefing is our post trip report. The mitigation guidance for consideration is our own and is offered “as is”, as general concepts to simply inform thinking
UNCLASSIFIED
Presentation Perspective
![Page 5: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/5.jpg)
5
Geographic Orientation
UNCLASSIFIED
![Page 6: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/6.jpg)
6
Power System Orientation
UNCLASSIFIED
![Page 7: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/7.jpg)
7
Ukraine’s Generation Sites
UNCLASSIFIED
Power System Regions
![Page 8: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/8.jpg)
8
Power System Element: Distribution
UNCLASSIFIED
Source: Modification of an image from the energy sector - specific plan 2010
![Page 9: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/9.jpg)
9
Event Summary
Through interviews, the team concluded that a remote cyber attack caused power outages at three Ukrainian distribution entities (Oblenergos) impacting approximately 225,000 customers
While power has been restored, all the impacted Oblenergos continue to operate in a degraded state
The attack included elements to disrupt power flow and exaggerate the outage by damaging the SCADA DMS and communication infrastructure used to support power dispatching
UNCLASSIFIED
![Page 10: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/10.jpg)
UNCLASSIFIED
![Page 11: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/11.jpg)
12
Attack Steps Summary
• Infect, Foothold, C2• Harvest Credentials• Achieve Persistence & IT Control• Discover SCADA, Devices, Data• Develop Attack Concept of Operation (CONOP)• Position• Execute Attack
- SCADA/DMS Dispatcher Client/WS Hijacking- Malicious firmware uploads- KillDisk Wiping of WS & Servers- UPS Disconnects & TDoS
UNCLASSIFIED
![Page 12: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/12.jpg)
13
Technical Components
• Spear phishing to gain access to the business networks • Identification of BlackEnergy 3 at each Oblenergos• Adversary theft of credentials from the business networks• Use of VPNs to enter the ICS network• Use of existing remote access tools within the environment or
issuing commands directly from a remote station capable of issuing commands similar to an operator HMI
• Serial to Ethernet communications devices impacted at a firmware level
• Use of a modified KillDisk to erase • Utilizing UPS systems to impact connected load with a
scheduled service outage• Telephone Denial of Service attack on the call center
UNCLASSIFIED
![Page 13: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/13.jpg)
14
Phantom MouseRemote Amin Tools at OS-level
Rogue ClientRemote SCADA Client Software
SCADA Hijacking Techniques
SCADA Server
The attackers developed two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies
![Page 14: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/14.jpg)
15
The Ukraine cyber attacks are the first publicly acknowledged intentional cyber attacks to result in power outages. As future attacks occur it is important to scope the impacts of the incident being examined.
Power outages should be measured in scale (number of customers and electricity infrastructure involved) and in duration to full restoration. These incidents impacted up to 225,000 customers in three different distribution level service territories lasting several hours. These incidents would be rated on a macro scale as low in terms of power system impacts as the outage impacted a very small number of overall power consumers in Ukraine and the duration was limited.
We are confident that the companies impacted would have rated these incidents as high or critical to their business and reliability of their systems.
Keeping Perspective
![Page 15: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/15.jpg)
16
Attacks were planned, coordinated, and required high-degree of orchestration
Aggressive development-to-operations cycle Attacks required multiple operators Simultaneous actions & mistakes Multi-staged Kill Chain Multiple attack elements Custom attacks developed Multi-staged attack Attackers achieved objective Targets used different SCAD
What we should understand
UNCLASSIFIED
![Page 16: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/16.jpg)
17
ICS Kill Chain Mapping (Stage 1)
UNCLASSIFIED
![Page 17: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/17.jpg)
18
Stage 1 TTPs
Spear phishing with MS Office Attachments BlackEnergy malware used for initial infection◦ Overlapping C2 servers
KillDisk downloaded and executed manually◦ KillDisk execution on selected Workstations and
Servers Use of company employed remote access tools ◦ Use of legitimate credentials for network access at time
of attack (RDP, RADMIN, VPN) Installation of backdoors
UNCLASSIFIED
![Page 18: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/18.jpg)
19
ICS Kill Chain Mapping (Stage 2)
UNCLASSIFIED
![Page 19: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/19.jpg)
20
Stage 2 TTPs
Lockout of legitimate dispatchers Manual & command operation to trip
breakers Firmware corruption of Serial-to-Ethernet
converters & Substation Devices UPS system outage KillDisk on RTU Local HMI Module◦Windows OS
UNCLASSIFIED
![Page 20: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/20.jpg)
21UNCLASSIFIED
![Page 21: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/21.jpg)
22
Distribution Control Center(s)• Central Office• Branch Offices
110 kV Substation
110 kV Substation
35 kV Substation
HMI workstations (OS-level)
Client-to-Server
AccessibleFirmware Devices
Workstations &Servers
Attack Elements by Location
UNCLASSIFIED
![Page 22: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/22.jpg)
23
Input Output
•No Datao Source problemso Disrupt Com Patho Disrupt AP/Interface
• Invalid Data• Too Much Data
Communications Path
Physical Protection
• Hardware• Firmware• Application Software• Configuration
Electronic Protection
Communications PathAPAP AP AP
•No Datao Destination problemso Disrupt Com Patho Disrupt AP/Interface
• Invalid Data• Too Much Data
Device
Maintenance not operational data input
Malicious Firmware Uploads (Cont.)
Model created by Mark Engles
UNCLASSIFIED
![Page 23: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/23.jpg)
24
Manipulate-to-Disrupt (anti-restore)
UNCLASSIFIED
![Page 24: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/24.jpg)
25 FUNCLASSIFIED
1
2
3
![Page 25: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/25.jpg)
26
How Sophisticated Was It?
FUNCLASSIFIED
![Page 26: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/26.jpg)
27
Rating this Attack
0
0.5
1
1.5
2
2.5
3SOPHISTICATION
CUSTOMIZATION
EFFECT
CONOP
Sophistication
ICS Customization
Effect
CONOP
1
2
2
3
• Some sophistication in the SCADA/DMS hijacking method but the majority of it was not
• Rogue client hijacking demonstrated some customization
• Electricity outage in three service territories restored in hours
• A complex and successful attack plan
Summary
UNCLASSIFIED
![Page 27: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/27.jpg)
28
UkraineIncidents
Human Operators
ICS Infrastructure
ICS Applications
Process & Safety
INCIDENT MAPPING
ElementsHMI InputsAlarmsData
EffectLoss of View (LoV)False Alarms/Suppress AlarmsSpoofed Status, Levels, and ConditionsDenial of Control (DoC)
ElementsServersNetworkWorkstationsOS
EffectModify FilesCorrupt/Destroy DataExhaust Resources/DoSHang ApplicationsHijack
ElementsHMI (Client)SCADA ServersENG WSHistorians/DBsGateways/FEPs
EffectChange Settings & Schedule TasksSpoof Data, Issue Commands (MoC)Delete DataDoS, (DoC)
ElementsControllersComms/IOInstrumentsActuators
EffectChange Settings, Write to Memory Data Destruction Spoof Data, (MoC or MoV)Change Logic, (MoC)DoS/Corrupt Software, (DoC)
SCADA/DMS & Process Elements
UNCLASSIFIED
![Page 28: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/28.jpg)
Guidance & Mitigation ConceptsPublished Advisories and SCADA/DMS mitigations
UNCLASSIFIED
![Page 29: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/29.jpg)
30
https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01ADD
FUNCLASSIFIED
ICS-CERT Alert
![Page 30: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/30.jpg)
311
Level 2 NERC Alert (R 2016 02 09 01) that was released February 9, 2016
https://www.esisac.com/api/documents/4199/publicdownload
E-ISAC Alert
![Page 31: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/31.jpg)
32
Control & Operate
VPN Access
Workstation Remote
Ukraine EventSignificant Events based on publicly available reporting.
Ukraine EventSignificant Events based on publicly available reporting.
Credential Theft
Spearphish
Tools & Tech
FUNCLASSIFIED
Attack Elements
![Page 32: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/32.jpg)
IT Preparation• Target selection• Unobservable
target mapping• Malware
development and testing
Sequence Pre Work
• Upload additional attack modules -KillDisk
• Schedule KillDisk wipe
• Schedule UPS load outage
Attack Position• Establish Remote
connections to operator HMI’s at target locations
• Prepare TDoS dialers
Target Response• Connection sever• Manual mode / control
inhibit• Cyber asset restoration• Electric system
restoration• Constrained operations• Forensics• Information sharing• System hardening and
prep
Hunting and Gathering
• Lateral Movement and Discovery
• Credential Theft and VPN access
• Control system network and host mapping
Spear phishing• Delivery of phishing
email• Malware launch
from infected office documents
• Establish foothold
ICS Preparation• Unobservable
malicious firmware development
• Unobservable DMS environment research and familiarization
• Unobservable attack testing and tuning
Attack Launch• Issue breaker open
commands• Modify field device
firmware• Perform TDoS• Scheduled UPS
and KillDisk
Opportunities to Disrupt
12 mo
9 mo
6 mo
hrs.
min
Event
Hrs.
![Page 33: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/33.jpg)
34
• Awareness training• Phishing testing
Training
Spearphish
• Detection Based• Reputation Based
Filtering
• Contested territory• Isolate and control
Anticipated
FUNCLASSIFIED
Spearphish
![Page 34: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/34.jpg)
35
• YARA & AV• Change PW
Remediate
Credential Theft
• Directory Segmentation• Zones of Trust
Defense in Depth
• Normalize net and directory activity
• Alert on the abnormal
Anticipated
FUNCLASSIFIED
Credential Theft
![Page 35: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/35.jpg)
36
• Two factor• Dedicated Tokens
Strengthen
VPN Access
• Jump Host• No Split Tunneling
Trust
• Why is it there• Activate at time of use
Anticipated
FUNCLASSIFIED
VPN Access
![Page 36: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/36.jpg)
37
• Disable remote access• Block at perimeter fw
Harden
Workstation RemoteAccess
• Configure Host FW• Monitor config changes
Manage
• Conservative operations
• Sectionalizing
Anticipated
FUNCLASSIFIED
Remote Access
![Page 37: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/37.jpg)
38
• Logic for confirmation• AOR
App Security
Control and Operate
• Path encryption• Protocol encryption
Communication
• Manual operations• Load Shed
Anticipated
FUNCLASSIFIED
Control
![Page 38: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/38.jpg)
39
• Filter calls by source• Disconnect BCS from net• Disable remote mgmt
Eliminate
Tools and Tech
• Disable remote FW updates• ATS, Backup Gen• Secondary Comms
Device
• Blackstart plans• Islanding• Mutual Aid
Anticipated
FUNCLASSIFIED
Tools and Tech
![Page 39: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/39.jpg)
40
Lessons Learned
TrainingPlanning and AnalysisLoad ShedEOPBlackstart
![Page 40: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/40.jpg)
41 F
• Cyber contingency analysis (continuous analysis and preparing the system for the next event)
• Cyber failure planning (modeling and testing cyber system response to network and asset outages)
• Cyber conservative operations (Intentionally eliminating planned and unplanned changes, as well as stopping any potentially impactful processes)
• Cyber load shed (Eliminating all unnecessary network segments, communications, and cyber assets that are not operationally necessary)
• Cyber RCA (Root Cause Analysis forensics to determine how an impactful event occurred and ensure it is contained)
• Cyber blackstart (cyber asset base configurations and bare metal build capability to restore the cyber system to a critical service state)
• Cyber mutual aid (ability to utilize ISACs, peer utilities, law enforcement and intelligence agencies, as well as contractors and vendors to respond to large scale events)
UNCLASSIFIED
Lessons Learned Translated
![Page 41: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/41.jpg)
42
Component Mitigation N Mitigation N+1 Mitigation N + X
Spear phish Training Filter System Spec
Credential Theft Remediate PW Defense in Depth ProtectionDevices
VPN Access Strengthen Trust RCA / EOP
Workstation Remote Access
Harden Manage Conservative Operations / Sectionalizing
Control and Operate
App Security Communication Manual Operations / Load Shed
Tools and Tech Eliminate Device Black Start / Mutual aid
FUNCLASSIFIED
Prepare to Defend the Effect
![Page 42: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/42.jpg)
UNCLASSIFIED
питанняQuestions
Attack
![Page 43: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/43.jpg)
44
References & Products
NCCIC/ICS-CERT INCIDENT ALERT: IR-Alert-H-16-043-01P UKRAINIAN POWER OUTAGE EVENT, February 12, 2016 (TLP=GREEN)◦ High-level summary of the incident elements◦ Mitigation guidance◦ Detection pointers & indicators (IOCs)
NERC E-ISAC: Mitigating Adversarial Manipulation of Industrial Control Systems as Evidenced By Recent International Events, February 9, 2016 (TLP=RED) ◦ Tactics used by actors with mitigation options
ICS-CERT BlackEnergy YARA signature: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01E
Initial Findings of the US Delegation examining the events of December 23rd 2015, Power Point Presentation, February 2016
E-ISAC & SANS Defense Use Case: https://www.esisac.com/api/documents/4199/publicdownload
UNCLASSIFIED
![Page 44: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/44.jpg)
45
Guidance Documents
CEDS
Research & Development
DeploymentIncident Coordination
UNCLASSIFIED
![Page 45: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/45.jpg)
46
Cyber Incident Coordination
Coordinate response with federal and industry partners. Share information and facilitate access to technical sector specific
expertise while ensuring: Unity of effort; and Unity of message
Collaboration with industry for participation in national and regional preparedness projects including cyber exercises. ESCC Playbook Exercise New York State Cybersecurity Exercise (NYSCE) Dams Sector Information Sharing Drill North American Electric Reliability Corporation (NERC) Grid Security
Exercise (GridEx)
CEDS
Research & Development
DeploymentIncident Coordination
UNCLASSIFIED
![Page 46: Cybersecurity for Energy Delivery Systems · BlackEnergy malware used for initial infection Overlapping C2 servers KillDisk downloaded and executed manually KillDisk execution on](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed37a3659f0c92a7d325b0a/html5/thumbnails/46.jpg)
4747
Office of Electricity Delivery & Energy ReliabilityU.S. Department of Energy
www.energy.gov/oe/services/cybersecurity