TEL AVIV, Israel -- Radiflow issued an analysis of the December 2015 cyber-attack on a Ukrainian power provider. According to multiple accounts, multiple western-Ukrainian power utilities were attacked, disconnecting thirty substations, and leaving 80,000 customers without power for hours. Using compromised HMI software and remote access software, the attackers targeted specific servers on the utilities' operational networks and deleted their attack paths-which delayed the response to the attack.
Draft guidelines for preventing attacks of this type against critical infrastructures were already issued prior to the attack by the U.S. National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST).
These guidelines were developed in collaboration with a select group of industry leaders. Radiflow took part in two NCCoE projects focused on identity and access management, and situational awareness, in critical infrastructures.
Radiflow's IDPS (Intrusion Detection & Prevention Solution), designed specifically to protect ICS operational networks, meets and exceeds the NCCoE guidelines. It offers multiple layers of protection, including an IDS with network visibility and anomaly detection capabilities, an industrial DPI firewall, and user authentication and task-based permissions management for securing maintenance activities.
The NCCoE guidelines, and their implementation in Radiflow's IDPS, apply directly to multiple points along the Ukrainian outage "Kill-Chain":
•Penetration phase: segregation of the OT network would have enabled detecting penetration attempts (as already suggested by ICS-CERT in August 2014) by deploying firewall protection between sites (preferably a DPI Industrial Firewall), and implementing an extensive authentication mechanism.
•An Industrial IDS would detected opened SSH connections used for communication between networked substations and the attackers' Command-and-Control servers.
•Signature-based detection would have detected known malware (the Ukraine attackers used the Black-Energy malware as well as known SSH-Backdoors, which both have signatures).
•Analysis of the attackers' commands using an Industrial IDS during the attack, which would assist post attack forensic research.
Radiflow's new IDPS has already been successfully deployed at a renewable energy site operated by a large-scale European utility. This is in addition to a large number of Radiflow secure-gateways and standalone IDSs that are already installed in utilities around the world.
To read the complete analysis paper, and for more information, visit http://www.radiflow.com