Igor Kotsiuba

Publisert: 25.04.2019

Title talk: Malware cyber hygiene in energy grids and critical infrastructure scenarios

Abstract talk "Malware cyber hygiene in energy grids and critical infrastructure scenarios"

The attacks on the Ukrainian energy companies, carried out at the end of December 2015, were the milestones of malware awareness of the whole country. Information is based on the results of a survey of employees of the affected enterprises, which took place after the attack.
Based on the survey, the attack was carried out by remote attackers. The incident affected three regional electricity supply companies. As a result of the attack, about 230 thousand consumers remained without power supply for some time. After the resumption of work, the companies were forced to work in limited conditions.
The cyber attack was coordinated and executed synchronously, and it was first ever autonomus "spear" attack on infrastructure in the world. The attackers allegedly carried out preparatory work and knew the structure of the regional power networks. According to company employees, all attacks occurred within a 30-minute window and affected the work of central and regional power companies. The attackers used either the built-in remote administration tools or software to manage SCADA systems via VPN connections. Presumably, hackers stole the credentials of employees before the attack and created bespoke malware for those incidents.
Upon completion of the attack, attackers deleted data from a number of systems using KillDisk malware. The malware deletes specific files and damages the master boot record (MBR) of the hard disk. Hackers also damaged the firmware of Serial-to-Ethernet converters and disconnected uninterruptible power supplies via a remote control interface.
The internal networks of each infrastructure entity ware infected with BlackEnergy malware. While the malware itself was not used to launch an attack, experts estimate the role of BlackEnergy as significant in the context of this incident. The virus was spread using targeted phishing with malicious attachments in the form of Microsoft Office documents. Presumably, hackers used BlackEnergy as the initial vector to gain access to company credentials.
The preventive measure of cybersecurity of energy grids and critical infrastructure can be and is being developed - cyber hygiene framework. In EC funded H2020 project SPEAR we develop the eclectic solution towards the protection of infrastructure.
Malware protection management must incorporate the holistic approach, thus such parts as performing risk analysis and awareness through cyber hygiene frameworks, and empowering EU-wide consensus by collaborating with European and global security organisations, standardisation bodies, industry groups and smart grid operators.

About Igor Kotsiuba

Igor Kotsiuba focuses on Cybersecurity of Critical Infrastructure and eHealth. He is a partner at CyberDesk, Head of Cybersecurity Workgroup at American Chamber Ukraine, and advices governmental structures in Ukraine , and has been providing services to clients in the fields of information security, cybersecurity and DLT implementations for eHealth and Energy in Ukraine and EU.

Igor has an outstanding record of implementing the best global information security practices and frameworks for a wide range of companies. He is a researcher at PIMEE National Academy of Sciences involved in scientific and research activities in the area of cybersecurity within the projects of the European Commission in cooperation with leading specialists from the UK, France, Spain, Germany. Igor also is main researcher and manages Horizon 2020 projects in the areas of enhancing the cyber security standards in energy infrastructure, the Internet of things and eHealth, and is a frequent speaker at specialized conferences and seminars. Lead expert in number of projects regarding using of blockchain to enhance security and management of eHealth system, military supply and logistics chain, procurement systems.