Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does CrashOverride malware threaten industrial control systems?

CrashOverride malware targets industrial control systems and can wreak havoc. Expert Judith Myerson explains the capabilities of the malware and what to do to stop it.

I heard about the CrashOverride malware, which targets industrial control systems. What does it do? What should...

enterprises do to prevent an attack?

CrashOverride shut down Ukraine's power grid in December 2016. The National Cybersecurity and Communications Integration Center started investigating the malware strain after this incident, and cybersecurity firms Eset and Dragos have published reports on it already.

What's already known is that the malware can target any organization that uses specific industrial control system (ICS) protocols. While these ICS protocols aren't used in the United States, the malware's plug-in components could be modified to attack the United States' power grid, as well as other critical information networks and systems.

The CrashOverride malware exploits the lack of authentication and authorization in the ICS protocols when valid commands are issued to remote terminal units. Services are denied to local serial COM ports on Windows devices, and communication with field equipment stops working. The malware uses Open Platform Communication to scan and map ICS environments.

CrashOverride also has the ability to exploit Siemens' relay devices, which are vulnerable to denial-of-service attacks. The relay normally opens circuit breakers if it detects dangerous power levels, so if the relay was maliciously shut down, it would need to be manually reset to restore functionality.

Another capability of the CrashOverride malware is a wiper module to render Windows systems useless. This requires time-wasting and costly rebuild or backup restoration.

To prevent a CrashOverride malware attack, critical infrastructure organizations should follow best practices as outlined in "Seven Steps to Effectively Defend Industrial Control Systems," a paper released by the U.S. Department of Homeland Security, the National Security Agency and the FBI. The steps are:

  1. implement application whitelisting;
  2. ensure proper configuration and patch management;
  3. reduce your attack surface area;
  4. build a defendable environment;
  5. manage authentication (and authorization);
  6. implement secure remote access; and
  7. monitor and respond.

ICS-CERT provides updates on control system vulnerabilities, mitigation strategies and other cybersecurity issues. The ICS and network monitoring tools your organization uses must be free of vulnerabilities. Automatic tool and patch downloads from trusted vendors should help the organization stay current.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out how WannaCry malware affects ICS networks

Learn about the threat of Conficker malware to ICS and SCADA systems

Discover why enterprises need more ICS security awareness training

This was last published in August 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are you concerned about malware that targets ICS? Why or why not?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close