AST Magazine February 2018 final-feb-2018 | Page 25

Volume 20
February 2018 Edition
uration and instead leverages knowledge of grid operations and
network communications to cause impact; in that way, it can be
immediately re-purposed in Europe and portions of the Middle
East and Asia.”
“CRASHOVERRIDE is not unique to any particular vendor or config-
uration and instead leverages knowledge of grid operations and
network communications to cause impact; in that way, it can be
immediately re-purposed in Europe and portions of the Middle
East and Asia.”
And while the module was programmed to exploit European pro-
tocols, Dragos reports, “CRASHOVERRIDE is extensible and with a
small amount of tailoring such as the inclusion of a DNP3 protocol
stack would also be effective in the North American grid.” [1]
(CNN provides details on the Russian hackers — who they are and how they oper-
ate. Courtesy of CNN and YouTube)
Mind the Gap
Critical infrastructure facilities globally have historically relied on
“air-gapping” their operations to reduce infection or equipment
malfunction risk jumping from one operational compartment to
another.
Now, companies are at pains to interconnect their most up-to-date
systems (usually to the internet), and to integrate the latest equip-
ment with legacy devices that may be decades old.
In light of a more interconnected world, utilities must appoint a
cross-functional task force to map operational connectivity to devel-
op defenses against sophisticated cyber attacks.
Primed and Ready to Go
Once localized for use, hackers can viably interchange the fourth
module with another software component to pursue any combi-
nation of attack vectors:
The team must detail the spaghetti of network connections, end-
points and HMIs that support SCADA.
Then, they must elucidate any interfaces between OT and corporate
IT.
• De-energizing a substation by locking an operator out of
controls and remotely toggling the status of a breaker between
open and close continuously;
• “Islanding” a substation by initiating a similar breaker toggling
event that invokes automated operations that isolate the sub-
station from other substations;
• Misrepresenting the status of operations on consoles that
confuse operators, for example one that displays breakers open
when they are actually closed;
• Creating a cascading islanding effect on a grid by disabling the
protective relays of substations.
23