In a substation of a large distribution system operator Rhebo Industrial Protector had detected suspicious behavior. A software repeatedly tried to connect to other systems within the subnet via TCP. Ultimately, the communication failed but the anomaly detection assessed them to be scan attempts.
Attack Through Authorized Channels
Rhebo Industrial Protector provided the control room operatives with the IP address of the source device. Since all authorized devices had already been identified by Rhebo during the initial ICS analysis and verified by the cybersecurity operatives, the suspicious communication was found and identified as a registered maintenance laptop. The owner of the laptop was immediately contacted and ordered to take the laptop offline and hand it to IT.
Network Scans & An Outdated Windows OS
The laptop was running on an outdated Windows OS, because the configuration software was not compatible with more recent versions. This had left the laptop prone to exploits which had been closed in newer Windows releases. As further analysis revealed, a malware was active on the laptop. The malware’s communication was likely an attempt to scan for identical instances of the malware in the net.
Because the maintenance laptop was directly connected to a switch in the substation the local firewall did not register the activity.
360° Intrusion Detection
The incident was a generic malware activity not tailored to disrupt substation operation. However, it highlights the vulnerability of substation ICS if communication monitoring is only restricted to the central control room – or not established at all. The affected DSO was able to react quickly to the unwanted – and potentially dangerous – communication because they have a continuous ICS monitoring in place which covers the control room as well as the substations. That way, they can prevent lateral movement and spillover effects directly at the source.
>> Find out more
Early detection of attacks requires a thorough understanding of what is happening within the entire ICS infrastructure. Detecting attacks, reconnaissance or technical error states at the control room is many steps too late. Find out how Rhebo supports DSO and TSO in establishing a 360° Intrusion Detection System. Read the Substation Level Monitoring solution brief.