Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid

Rafiullah Khan; Peter Maynard; Kieran McLaughlin; David Laverty; Sakir Sezer

doi:10.14236/ewic/ICS2016.7

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid

Rafiullah Khan, Peter Maynard, Kieran McLaughlin, David Laverty, Sakir Sezer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3003 Downloads (Pure)

Abstract

The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.

Original language	English
Title of host publication	4th International Symposium for ICS & SCADA Cyber Security Research 2016
Publisher	BCS
Pages	53-63
Number of pages	11
DOIs	https://doi.org/10.14236/ewic/ICS2016.7
Publication status	Published - 25 Aug 2016
Event	4th International Symposium for ICS & SCADA Cyber Security Research 2016 - Belfast, United Kingdom Duration: 23 Aug 2016 → 25 Aug 2016 http://www.ics-csr.com

Conference

Conference	4th International Symposium for ICS & SCADA Cyber Security Research 2016
Abbreviated title	ICS-CSR 2016
Country	United Kingdom
City	Belfast
Period	23/08/2016 → 25/08/2016
Internet address	http://www.ics-csr.com

UN SDGs

This output contributes to the following Sustainable Development Goal(s)

Access to Document

10.14236/ewic/ICS2016.7Licence: Unspecified

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid
© 2016 The Authors.
Accepted author manuscript, 2.07 MBLicence: Unspecified

Fingerprint Dive into the research topics of 'Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid'. Together they form a unique fingerprint.

1 Finished

R1452ECI: Converged Approach towards Resilient Industrial control systems and Cyber Assurance
Sezer, S., Laverty, D., McLaughlin, K., McLoone, S. & Morrow, D. J.
01/08/2014 → 31/12/2017
Project: Research

1 Membership of external research organisation

Research Institute in Trustworthy Industrial Control Systems (External organisation)
Kieran McLaughlin (Member)
2014 → …
Activity: Membership types › Membership of external research organisation

Cite this

@inproceedings{df705d06011e481b95cd59dbd3f29b09,

title = "Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid",

abstract = "The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.",

author = "Rafiullah Khan and Peter Maynard and Kieran McLaughlin and David Laverty and Sakir Sezer",

year = "2016",

month = aug,

day = "25",

doi = "10.14236/ewic/ICS2016.7",

language = "English",

pages = "53--63",

booktitle = "4th International Symposium for ICS & SCADA Cyber Security Research 2016",

publisher = "BCS",

note = "4th International Symposium for ICS & SCADA Cyber Security Research 2016, ICS-CSR 2016 ; Conference date: 23-08-2016 Through 25-08-2016",

url = "http://www.ics-csr.com",

}

Khan, R, Maynard, P, McLaughlin, K , Laverty, D & Sezer, S 2016, Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid. in 4th International Symposium for ICS & SCADA Cyber Security Research 2016. BCS, pp. 53-63, 4th International Symposium for ICS & SCADA Cyber Security Research 2016, Belfast, United Kingdom, 23/08/2016. https://doi.org/10.14236/ewic/ICS2016.7

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid. / Khan, Rafiullah; Maynard, Peter; McLaughlin, Kieran ; Laverty, David ; Sezer, Sakir.

4th International Symposium for ICS & SCADA Cyber Security Research 2016. BCS, 2016. p. 53-63.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid

AU - Khan, Rafiullah

AU - Maynard, Peter

AU - McLaughlin, Kieran

AU - Laverty, David

AU - Sezer, Sakir

PY - 2016/8/25

Y1 - 2016/8/25

N2 - The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.

AB - The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.

U2 - 10.14236/ewic/ICS2016.7

DO - 10.14236/ewic/ICS2016.7

M3 - Conference contribution

SP - 53

EP - 63

BT - 4th International Symposium for ICS & SCADA Cyber Security Research 2016

PB - BCS

T2 - 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Y2 - 23 August 2016 through 25 August 2016

ER -

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid

Abstract

Conference

UN SDGs

Access to Document

R1452ECI: Converged Approach towards Resilient Industrial control systems and Cyber Assurance

Research Institute in Trustworthy Industrial Control Systems (External organisation)

Cite this