A growing consensus is forming among experts that a coordinated cyberattack on a Ukrainian electric utility caused a blackout late last month, raising hard new questions for US policymakers and utilities about power grid security in this country.
"This is as big a wake-up call as you get," says Joe Weiss, an industry expert on industrial control system used to run large and small utilities.
The attack occurred on Dec. 23 and caused blackouts for several hours in the Ivano-Frankivsk region of Ukraine. One affected utility, Kyivoblenergo, notified customers that the outage resulted from an "illegal entry" into its information technology system. In all, 30 substations were disconnected from the grid in the attack, affecting some 80,000 customers.
While US cybersecurity experts and policymakers have long warned that hackers could take aim at utilities, Mr. Weiss and others say the grid is still too vulnerable to attack.
One major problem, says Weiss, is that the energy industry's current cybersecurity standard, the North American Electric Reliability Corporation's Critical Infrastructure Protection plan, exempts many operators who are part of the US power grid. That includes small power distributors such as those targeted in Ukraine. Rather, the industry oversight group focuses mostly on large power generators.
Unlike regulators, however, cybercriminals don't make bureaucratic distinctions about the likelihood of compromising a target or the size or function of the facilities they attack, Weiss says.
"The bad guys don’t have org charts. They don’t say, 'That’s outside of scope,' " he says. "Until we’re able to link software vulnerabilities to reliability and safety – until we look at both systems and their impact, we’ve got a big problem."
Researchers at SANS Institute, a cybersecurity education nonprofit, are among those who have concluded that "cyberattacks were directly responsible for power outages in Ukraine."
Writing last week, SANS researcher Michael Assante said the incident in Ukraine is the first, publicly acknowledged incursion in the energy sector control systems that resulted in a loss of service.
The attack is also notable for the attackers' apparent use of a distributed denial of service, or DDoS, attack against phone support centers operated by the utilities. That tactic blocked calls from customers to the utility and denied engineers another line of sight to what was transpiring on the network, Mr. Assante noted.
The security firm ESET was first to analyze the software discovered on the networks of the Ukrainian operators, connecting the attack to the use of malicious software programs dubbed "KillDisk" and "BlackEnergy," which had been used in attacks on media outlets during the 2015 Ukrainian local elections.
Additional research published last week by the information security firm iSight Partners further linked malicious software used in the attacks with an ongoing malicious software campaign by a group dubbed "The Sandworm Team" that has links to the Russian government.
"It’s gotten to the point of where we have a fairly solid attribution to The Sandworm Team," says Stephen Ward of iSight, which has been monitoring the activities of the hacking group since 2014.
Using malicious software attacks against information technology assets and then using that access to pivot to industrial systems is common in industrial cyberattacks, says Barack Perelman, chief executive officer of Indegy, which sells industrial control system monitoring and security systems.
Attackers use their foothold on a network to exploit known vulnerabilities in industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Previously undiscovered – or "zero-day" – vulnerabilities may be exploited, says Mr. Perelman. But hackers can usually count on finding known and unpatched security holes or weakly secured industrial control and SCADA systems that offer little resistance, he says.
Despite a growing consensus about the Ukrainian incident, many unanswered questions remain. Analysts have placed the malicious BlackEnergy and KillDisk programs at the scene of the crime. But more analysis is needed to determine if that malware was directly responsible for the blackout, security experts agree.
"We don’t know what additional payload was used to disrupt the power or whether they had capabilities for remote access and control," says Mr. Ward of iSight.
Weiss agrees. "This is a case where there is both smoke and fire. The issue is: We don’t know yet what caused the fire. We don’t know the specific mechanism by which the breakers were opened. We just know that they did open breakers and that’s how the lights went out."
The distinction is important, because BlackEnergy isn’t unique to Ukrainian utilities. In fact, it has been detected on the networks of US critical infrastructure operators. The Department of Homeland Security warned in October 2014 that it identified a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments." The campaign relied on a "variant of the BlackEnergy malware" and had been ongoing since at least 2011, according to DHS.
At the time, DHS said it did not know of any attempts to "damage, modify, or otherwise disrupt the victim systems' control processes." DHS couldn’t "verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system."
But, experts worry, the Ukraine incident proves that such a leap is possible – and that attackers are willing to take it. "The point is: They had this information from the Ukrainian utilities," says Weiss. "The second point is: They have our information."