Industroyer and CrashOverride: Grid-Specific ICS Malware

Malware that speaks the language of substations

What made Industroyer revolutionary was its native understanding of industrial control protocols. Rather than relying on a human operator's session, it included modules that could directly issue commands over IEC 60870-5-104, IEC 61850, IEC 60870-5-101 and OPC DA. This meant it could enumerate the breakers and switches in a substation and operate them autonomously, removing the attacker's need to understand each specific site in detail.

• IEC 60870-5-104: telecontrol over TCP/IP, widely used in European substations
• IEC 61850: the modern substation automation standard for protection and control
• IEC 60870-5-101: serial telecontrol still present in older installations
• OPC Data Access: a common bridge between control systems and Windows applications

A modular, reusable weapon

Industroyer was built as a framework rather than a one-off tool. A core backdoor managed a set of interchangeable payload modules, plus a data-wiper to erase evidence and disable systems on the way out, and a denial-of-service module targeting Siemens protection relays. This modular design meant the same platform could in principle be retargeted against other grids running the same standardised protocols, which is precisely what made it so significant for operators outside Ukraine.

Industroyer2 in 2022 showed the threat had not gone away

In April 2022, during the war in Ukraine, defenders detected and blocked Industroyer2, a streamlined successor tailored to specific substation configurations and timed to cause a major regional blackout. Although the attack was thwarted before it could fully execute, it confirmed that grid-aware malware remains an active, evolving capability in the hands of state actors, not a historical curiosity.

Defending substations against protocol-aware malware

Industroyer succeeded because it could move from a compromised control workstation onto the substation network and issue protocol commands unchallenged. Defence therefore centres on segmenting and monitoring the OT network, controlling the engineering workstations that bridge IT and OT, and detecting anomalous control commands rather than just known malware signatures.

• Segment substation and control networks with monitored, rule-enforced boundaries
• Lock down and monitor engineering workstations, the usual launch point for ICS payloads
• Deploy detection capable of spotting unusual IEC 60870 and IEC 61850 traffic patterns
• Maintain manual and local control fallbacks so a digital attack cannot fully disable a site

How Kyanite Blue and Sophos defend against grid malware

Stopping protocol-aware malware means catching the intrusion before it reaches the substation network and detecting the abnormal behaviour if it does. Kyanite Blue deploys Sophos Managed Detection and Response, backed by deep-learning threat detection and next-generation firewalls, to watch the IT and OT boundary around the clock. The Sophos MDR team hunts for the lateral movement, wiper deployment and command-and-control behaviour that characterised both Industroyer campaigns, while firewall segmentation keeps the corporate network from offering an easy path into control systems. We design the architecture so that an Industroyer-style payload finds no quiet route from a phished laptop to a circuit breaker.

Frequently Asked Questions