The Emergence of CosmicEnergy Malware and the Threats to the Electric Power Grid

Russian Malware Capable of Shutting Off Industrial Machinery Raises Concerns

A new Russian software called “CosmicEnergy,” capable of toggling on and off industrial machinery, has been spotted in VirusTotal (VT), an online tool widely utilized in threat intelligence. Experts are speculating that the malware may have been designed for a power disruption red-team exercise hosted by the Russian cybersecurity company Rostelecom-Solar, as the tool had a comment in its code that seems to hint at this possibility. According to the researchers from Mandiant, the software possesses the ability to pose a threat to affected electric grid assets by manipulating a type of industrial control device known as a remote terminal unit (RTU).

The Functioning of CosmicEnergy

CosmicEnergy uses two components to create power disruptions – PieHop, a Python-based tool that connects an attacker-controlled MSSQL server with an RTU at a targeted industrial site, and Lightwork, a C++-based tool that makes use of an RTU’s toggling capabilities and modifies the state of the RTU. CosmicEnergy can erase its executable from the targeted system after executing a command.

Insecure Industrial RTUs

Industrial control devices such as RTUs are vulnerable by design, with no additional security measures added to these systems. According to experts at Mandiant, these machines are often designed to operate in trusted environments without any security considerations. Additionally, the protocols that these machines run on are often open, meaning that they are susceptible to breaches from any attacker. Most industrial RTUs have no form of encryption applied to their inbound or outbound data flows, which could further invite security breaches.

The Challenges of OT Security

Unlike IT, Operational Technologies (OT) has different priorities based on the processes being supported by these technologies. Safety and reliability are crucial in OT cybersecurity, whereas traditional IT prioritizes data security overheads. This makes the defense of Industrial control devices difficult as any security measures meant to defend the data might interfere with the processing of that data. Therefore, detection remains the best weapon against these kinds of threats. Furthermore, system administrators must be wary of any behavior that is deemed not to be expected.

Editorial

The delivery of essential services such as water, energy, and food relies on the smooth operation of industrial machines that have become increasingly digitized. The inability of industrial control devices to withstand breaches from hostile state actors represents a new kind of national security threat. It is therefore essential that the US government invests resources into securing our critical national infrastructure.

Advice

• Industrial control devices like RTUs should only be operated in trusted and secure environments, with basic encryption applied to their inbound and outbound data flows.
• It is essential to detect any behavior that is not expected in an industrial control device and scrutinize every command sent to them carefully.
• Personnel who work in critical infrastructure environments must undergo security awareness training consistently.
• All Industrial systems that run critical infrastructure in the US should be assessed for any potential vulnerabilities and their systemic risk minimized.