»Industroyer« – Anomalies remained unrecognized in critical infrastructures

, Leipzig
Picture thunder struck
  • Malware designed for critical infrastructures immobilized Ukrainian power grid
  • Threat situation is hardly comprehensible
  • Self-learning recognition of anomalies as fundamental safety measure for cyber security

15.6.2017, Leipzig, Germany – Critical infrastructures are still protected insufficiently. This becomes even more concrete since some new insights to a new malware called »Industroyer« or »CrashOverride«. It is believed to be responsible for certain attacks on the Ukrainian power grid right before Christmas 2016. Especially Kiev faded to black during this period on various days for some hours.

According to IT experts, »Industroyer« easily achieved to remain in the control systems of Ukrainian substations for weeks in order to spy out the specific sequences of communication within their control systems and proliferate them to the outside via the TOR network. The program could appropriate and imitate the language of the specific system through this procedure. From surface, deviating commands from the malware are hardly distinguishable from conventional communication of the machines within the system. Following the experts, the malware's high ability of mutability makes it also dangerous for other critical infrastructures besides just power grids and substations. »Industroyer« is different from previous malwares that were designed to harm specific facilities, like »Stuxnet«, which was specifically designed to attack Iranian separators for uranium enrichment. The new malware is more flexible and contains various modules to address different installations of critical infrastructure, which are commonly used in critical infrastructure.

»Obviously, this new program reveals once again, that critical infrastructure is not protected from attacks of unknown kinds,« Klaus Mochalski, CEO of Rhebo, states. »It is an illusion, that Firewalls, Virus scanners and Intrusion Detection Systems are enough to protect and safeguard controlling systems of critical infrastructure. Conventional strategies are just able to provide safety from already known threats. Forms of cyberattacks become increasingly specific and sophisticated. Consequentially, the threat is oftentimes detected when it is already too late.«

Therefore, it is also crucial to protect oneself against threats of unknown kinds. Network communication across power grids is usually very stable. Properly monitored, it is possible to detect deviations from the usual patterns of communication: so-called anomalies. »A comprehensive safety-strategy through the recognition of anomalies can prevent such threats. It guarantees a complete surveillance of the control network and looks for abnormalities to recognize them. »Industroyer« would have no chance against this profound strategy«, Klaus Mochalski is sure.

At this year's Hanover Fair the German Federal Ministry for Information Security (BSI) described self-learning anomaly detection as a central security strategy for the Industrial Internet of Things and Industry 4.0. Since the implementation of the new German IT Security Act in July 2015 it is prescribed to report disorders within control systems of critical infrastructures to the BSI. A tightening of this act, which means an extension to more industrial groups, was decided some days ago. Comprehensive observing and recording of every suspicious occurrences within the system is therefore crucial.

» »Industroyer« revealed after »WannaCry« once again the necessity of a complete monitoring of critical infrastructures. Every suspicious event in the system must be reported, regardless, if the threat is known or unknown. This is the Alpha and the Omega and the future of cyber security«, Klaus Mochalski is convinced.


About Klaus Mochalski

Klaus Mochalski is founder and CEO of the German technology company Rhebo. He has over ten years of experience in the development and marketing of technologies for network management and security. Two oft he companies he founded are now part of Rhode & Schwarz Cybersecurity group and now have over 200 employees. Before starting his first company, Klaus Mochalski worked in research and teaching at a number of international universities for five years.


About Rhebo

Rhebo is a German technology company specializing in the reliability of industrial control systems by means of surveilling the entire data communication. Its founders, Klaus Mochalski (CEO), Martin Menschner (CTO) and Frank Stummer (Business Development), each have more than 10 years of experience in the development and marketing of network management and IT security technologies. Klaus Mochalski and Frank Stummer were previously founders in the management of IT security companies ipoque, and Adyton Systems, which together now have more than 200 employees. During the same period, Martin Menschner was the responsible CTO at Adyton Systems as well as project manager for ipoque in the areas of network security and deep packet inspection.



Rhebo GmbH
Kristin Preßler (Head of Marketing)
Spinnereistr. 7
04179 Leipzig
Phone +49-341-393-790-180
Mobile: +49-162-1002085