Cybercriminals have especially designed malware to disrupt the operation of industrial control systems (ICS), particularly electrical substations. The malware CrashOverride/Industroyer is capable of directly controlling switches and circuit breakers in electrical substation circuits.

It works with four industrial protocols that are used in the power sector, transport management, water supply and other types of critical infrastructure. The developers of the program can reconfigure it to attack any industrial environment where target communication protocols are used.

The malware includes another tool that exploits vulnerabilities in the Siemens SIPROTEC family of protection relays. Devices can be made to stop responding by sending them a specially crafted data packet. To re-enable a device, it has to be manually rebooted.

If the malware uses the tool, in the event of a critical situation in an electrical network, the damage may not be limited to a power failure; the attack could damage equipment due to relay protection and control systems failing to work properly. If overloads are planned in a certain way, an attack in one place can result in cascading power shutdowns at several substations.

Experts say CrashOverride/Industroyer may have been connected with the December 2016 blackout in Kiev, when a Ukrenergo substation serving the north of Kiev malfunctioned. According to Ukrenergo representatives, the failure at the substation was due to an external impact on its SCADA systems, and there is currently no direct proof that this malware has been involved in any known attacks against power sector facilities.

The capabilities of CrashOverride/Industroyer mean the developers are very skilled and have thorough knowledge of the way industrial control systems work in electric power sector facilities. It is unlikely that this kind of malware could be developed without access to the hardware used in such facilities.

All of this means that CrashOverride/Industroyer is a true cyberweapon targeting industrial systems. It is perhaps the most serious known threat to industrial control systems since Stuxnet. Be on guard.