Market Overview

Ixia on Preventing Industrial Control System Attacks


a leading provider of network testing, visibility and security
solutions, offers organizations advice on preventing Industrial Control
Systems (ICS) attacks in light of the recent report
from Dragos on the CrashOverride malware. This malware took down 30
substations in the Ukraine's power grid late last year, and left 230,000
residents in the Ukraine without power.1

The report from Dragos on CrashOverride was detailed and specific. The
possibility of this malware strain permeating critical infrastructure
around the world is evidence that plants and power systems continue to
be under targeted attacks. In fact, early last year, hackers breached
the a water utility company that is referred to as the "Kemuri Water
Company." They took control of hundreds of programmable logic
controllers (PLCs) that manage the flow of toxic chemicals used for
water treatment, which could have had dire consequences.

"The work required to create malware targeting specific ICS systems
indicates nation-state sponsorship. One does not simply go out and build
a 'mirror lab' of an electrical grid in their basement," said Chuck
McAuley, Principal Security Research Engineer at Ixia. "Human
intelligence backed with strong technical knowledge is needed to create
this type of software. Countries, and their private partners involved in
infrastructure, need to be proactive about their security measures. In a
region such as Europe, where the interconnected electrical grid crosses
the borders of many countries, operators need to be ready for cyber
attacks at all times."

Attacks are rapidly evolving and, with nation-state support, will
continue doing so. CrashOverride took advantage of four communication
protocols used in ICS systems across Europe, Asia, and the Middle East,
which highlights potential ICS system design flaws.

McAuley continued, "This attack illustrates that flipping breakers on
and off repeatedly should trigger warnings from both remote terminal
units and networking equipment. Rate limiting, inline mitigation, and
machine learning defenses are quite mature and can easily be adapted to
help provide protection in the ICS space. If a hacker's intent is simply
to cause disruption, they do not need to use tradecraft of the nth
degree. In this particular case, the malware leveraged no zero day at
all, choosing instead to leverage design flaws in the ICS network. Your
adversary will only expose and use as much of their arsenal as they need
to obtain their objective."

According to Ixia, there a few simple steps organizations can follow to
better prepare for these types of attacks:

Stay Offline

If organizations are incapable of maintaining their ICS networks with up
to date countermeasures, they need to be disconnected from the Internet.
In fact, organizations should attempt to remove any direct reliance on
IP communications. Air gapping the network can help, but it does not
always stop malware from entering a network.

Sharing is Caring

A culture of information sharing between the public and private sector
should be encouraged. One of the most difficult aspects of cybersecurity
is establishing and maintaining trust with peers across industries.
Hackers already have the latter part down, and organizations should,
too. The enemy relies on slow communications, legal tie-ups, and other
bureaucratic clutter.

Get the Whole Picture

As in most cases, but especially the one outlined in the Dragos report,
visibility is key to thwarting industrial attacks. Network visibility
should be a cornerstone of any security posture. Moreover, rate limiting
functions and alerting functions should be used with a strong visibility
platform to notify operators when anomalies occur.

Preparation is Key

More than having the right relationship dynamics or tools, organizations
cannot be frozen when attacks do occur. They should prepare by testing
both their network equipment and people. While testing equipment is
relatively straightforward, you need to test your people under
real-world conditions using tabletop and cyber range exercises. This
enables staff to learn how to perform and think outside the box like a

McAuley concluded, "The more you can see, the quicker and easier you can
react. If the CrashOverride victims had tapped their ICS network, they
would have immediately noticed a change in traffic patterns: the
scanning for OPC-based services and the IEC 104 commands that repeatedly
closed and opened breakers. Network monitoring equipment would be able
see and alert on these transactions in realtime."

About Ixia

Ixia, now part of Keysight Technologies, provides testing, visibility,
and security solutions to strengthen networks and cloud environments for
enterprises, service providers, and network equipment manufacturers.
Ixia offers companies trusted environments in which to develop, deploy,
and operate. Customers worldwide rely on Ixia to verify their designs,
optimize their performance, and ensure protection of their networks and
cloud environments. Learn more at

About Keysight Technologies

Keysight Technologies is a leading technology company that helps its
engineering, enterprise and service provider customers optimize networks
and bring electronic products to market faster and at a lower cost.
Keysight's solutions go where the electronic signal goes, from design
simulation, to prototype validation, to manufacturing test, to
optimization in networks and cloud environments. Customers span the
worldwide communications ecosystem, aerospace and defense, automotive,
energy, semiconductor and general electronics end markets. Keysight
generated revenues of $2.9B in fiscal year 2016. In April 2017, Keysight
acquired Ixia, a leader in network test, visibility, and security. More
information is available at

Ixia and the Ixia logo are trademarks or registered trademarks of Ixia
in the United States and other jurisdictions. All other trademarks used
herein are the property of their respective owners.

Connect with Ixia via:




View Comments and Join the Discussion!