Editor's Note: This is a guest Blog Post from Ted Gutierrez, Ted is the ICS & NERC CIP Product Manager at the SANS Institute. In this post he discusses "Anatomy of an ICS Attack".
By now anybody who follows cybersecurity news has probably heard about the December 23, 2015 attack on the Ukrainian electric system which resulted in a widespread power outage impacting hundreds of thousands of people. Security experts at SANS were amongst the first to receive malware samples and have had an opportunity to provide context for some of the early reporting. In a December 30thblog, Mike Assante analyzed the early reports and then soon after, Robert M. Lee followed-up with a number of blogs detailing his analysis. SANS continues to investigate the incident and will have much more information to share soon.
As details continue to emerge it’s becoming clear that much of the attack followed text book cyber intrusion stages. It reminds me of a SANS developed training video called “Anatomy of an ICS Attack” available this month as the STH Video of the Month. The video describes a fictional electric generation company targeted by a group of hacktivists aiming to disrupt critical infrastructure. The video, which was first available in 2013, details the fictional attack which included common steps of reconnaissance, phishing, lateral movement, data destruction, and ultimately an ICS impacting effect.
There will certainly be a great number of lessons to be learned from the Ukrainian event. It was a game changing event that will be recorded in history as a coordinated cyber-enabled attack on multiple operators of an electric system. The SANS ICS team encourages entities to take advantage of the availability of the ICS attack video to demonstrate the anatomy of a cyber-attack to system operators, management and anybody with cyber access to ICS systems. It doesn’t completely describe what happened in the Ukraine but it may help folks better understand the reporting on the event and appreciate the challenge.
BIO: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. Ted has over twenty-five years of experience working in the electric utility, information technology and manufacturing industries.