If CrashOverride malware variants ever attack the U.S. electric grid and associated utilities, N-Dimension Solutions appears ready to mitigate the threat for its customers. Indeed, the managed security services provider (MSSP) has closely studied the potential malware scenarios, and aligned its cybersecurity defenses accordingly.
"Our N-Sentinel service is already capable of detecting CrashOverride and we're pleased to report no such incidents have been found within the 100+ utilities we serve," Mihir Kapadia, VP of engineering, N-Dimension Solutions, tells MSSP Alert.
The U.S. Department of Homeland Security, Dragos and ESET each shared CrashOverride Warnings earlier this week. The malware is considered a "highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine," according to the warnings.
CrashOverride Malware Threat: Proper Context
The alerts certainly put the U.S. utilities and those connected to the power grid on notice. But there's no initial cause for panic. N-Dimension, for instance, is careful to put the risks and potential solutions in proper context.
"Firstly, it’s important to note that the samples of CrashOverride that were analyzed were tailored for a specific network environment," Kapadia says. "The malware contained specific proxy addresses and IPs and so in it’s current form it would not affect other networks. However, the real risk is that CrashOverride could be modified to have more widespread impact and also points to a sophisticated capability to disrupt utility Industrial Control System (ICS) networks."
Among the key points Kapadia also shared with MSSP Alert:
- The protocols that the malware targeted (IEC-101, IEC-104, IEC-61850, OPC) are typically used outside of North America, but the threat is that CrashOverride could be easily modified to leverage the DNP3 protocol -- which is widely used in North American utility environments.
- N-Dimension recommends that utilities ensure their infrastructure is regularly patched with the latest firmware updates. CrashOverride utilizes a module that exploits CVE-2015-5374 on Siemens SIPROTEC relays. That vulnerability has been patched since 2015-07-07. Information on patching the vulnerability can be found in Siemens Security Advisory 73254.
"We also highly recommend utilities implement a layered defense-in-depth strategy," he adds, "to detect and protect from attacks including having a threat monitoring solution in place that can detect not just IT network threats but also those targeted towards operational networks like CrashOverride."