For the three Ukrainian power companies that suspected Russian hackers pried their way into in 2015, the pain wasn’t over when the attackers opened the companies’ circuit breakers and sent 225,000 people into darkness.
The intruders also planted malicious code on key equipment at power substations, preventing engineers from remotely closing the circuit breakers and slowing the effort to restore power.
The way the hackers blinded the Ukrainian power firms to their own operations is still studied by utilities around the world, and security specialists investigating critical electric equipment. A group of researchers at cybersecurity company Trend Micro on Wednesday added important data to those efforts by revealing multiple vulnerabilities in the same types of devices exploited by the Russians five years ago.
By making their findings public, researchers are prompting organizations to further scrutinize the little black boxes that serve as translators on key networks. The research covered vendors in France, Taiwan and the U.S.
“These devices tend to be overlooked,” said Trend Micro’s Marco Balduzzi, who will present his findings at the Black Hat virtual hacking conference this week. “There are some vendors that are security-conscious and others that are not.”
The researchers tested five protocol gateways, which are small boxes that translate communications between different devices at industrial facilities, including those that monitor temperatures and interact with machinery. They found multiple vulnerabilities, the most critical of which, if exploited, could allow a hacker to disable sensors for monitoring a facility’s temperature and performance. (Doing that would first require accessing a software program that is fairly deep within a facility’s network and not on corporate systems.)
Other issues found by the Trend Micro analysts include a weak encryption implementation and a bug that could allow an attacker to send malicious packets to the gateways, forcing them to reboot.
The researchers spent multiple months trying to help get patches issued for the devices, with mixed success. The most critical of the vulnerabilities hasn’t been fixed. The vendor, Taiwan-based Nexcom, told Balduzzi’s team that the product is “end-of-life” and won’t be receiving updates. A newer model is now on the market. Nexcom did not respond to a request for comment Wednesday on the research.
Daniel dos Santos, research manager at Forescout Technologies, agreed that protocol gateways haven’t attracted enough security scrutiny in the industry. For dos Santos, the Trend Micro report highlights “the need for everybody to be aware of all the assets in the network, and not just what we tend to think of as the most critical stuff.”
After the 2015 Ukraine hack, some security experts took it on themselves to show how protocol gateways could be exploited at other utilities. Jason Larsen, a researcher at cybersecurity company IOActive, replicated the Russian attack for a European power company, making his way to the utility’s substation network.