Modern field guide to security and privacy

Experts: Ukrainian cyberattack on power supply a 'wake-up call' for US

With consensus growing that hackers caused a widespread power outage in Ukraine last month, many security experts worry whether the US grid could withstand such an attack.

Reuters

A growing consensus is forming among experts that a coordinated cyberattack on a Ukrainian electric utility caused a blackout late last month, raising hard new questions for US policymakers and utilities about power grid security in this country.

"This is as big a wake-up call as you get," says Joe Weiss, an industry expert on industrial control system used to run large and small utilities.

The attack occurred on Dec. 23 and caused blackouts for several hours in the Ivano-Frankivsk region of Ukraine. One affected utility, Kyivoblenergo, notified customers that the outage resulted from an "illegal entry" into its information technology system. In all, 30 substations were disconnected from the grid in the attack, affecting some 80,000 customers.

While US cybersecurity experts and policymakers have long warned that hackers could take aim at utilities, Mr. Weiss and others say the grid is still too vulnerable to attack. 

One major problem, says Weiss, is that the energy industry's current cybersecurity standard, the North American Electric Reliability Corporation's Critical Infrastructure Protection plan, exempts many operators who are part of the US power grid. That includes small power distributors such as those targeted in Ukraine. Rather, the industry oversight group focuses mostly on large power generators.

Unlike regulators, however, cybercriminals don't make bureaucratic distinctions about the likelihood of compromising a target or the size or function of the facilities they attack, Weiss says.

"The bad guys don’t have org charts. They don’t say, 'That’s outside of scope,' " he says. "Until we’re able to link software vulnerabilities to reliability and safety – until we look at both systems and their impact, we’ve got a big problem."

Researchers at SANS Institute, a cybersecurity education nonprofit, are among those who have concluded that "cyberattacks were directly responsible for power outages in Ukraine."

Writing last week, SANS researcher Michael Assante said the incident in Ukraine is the first, publicly acknowledged incursion in the energy sector control systems that resulted in a loss of service.

The attack is also notable for the attackers' apparent use of a distributed denial of service, or DDoS, attack against phone support centers operated by the utilities. That tactic blocked calls from customers to the utility and denied engineers another line of sight to what was transpiring on the network, Mr. Assante noted.

The security firm ESET was first to analyze the software discovered on the networks of the Ukrainian operators, connecting the attack to the use of malicious software programs dubbed "KillDisk" and "BlackEnergy," which had been used in attacks on media outlets during the 2015 Ukrainian local elections.

Additional research published last week by the information security firm iSight Partners further linked malicious software used in the attacks with an ongoing malicious software campaign by a group dubbed "The Sandworm Team" that has links to the Russian government.

"It’s gotten to the point of where we have a fairly solid attribution to The Sandworm Team," says Stephen Ward of iSight, which has been monitoring the activities of the hacking group since 2014.

Using malicious software attacks against information technology assets and then using that access to pivot to industrial systems is common in industrial cyberattacks, says Barack Perelman, chief executive officer of Indegy, which sells industrial control system monitoring and security systems.

Attackers use their foothold on a network to exploit known vulnerabilities in industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Previously undiscovered – or "zero-day" – vulnerabilities may be exploited, says Mr. Perelman. But hackers can usually count on finding known and unpatched security holes or weakly secured industrial control and SCADA systems that offer little resistance, he says. 

Despite a growing consensus about the Ukrainian incident, many unanswered questions remain. Analysts have placed the malicious BlackEnergy and KillDisk programs at the scene of the crime. But more analysis is needed to determine if that malware was directly responsible for the blackout, security experts agree.

"We don’t know what additional payload was used to disrupt the power or whether they had capabilities for remote access and control," says Mr. Ward of iSight.

Weiss agrees. "This is a case where there is both smoke and fire. The issue is: We don’t know yet what caused the fire. We don’t know the specific mechanism by which the breakers were opened. We just know that they did open breakers and that’s how the lights went out."

The distinction is important, because BlackEnergy isn’t unique to Ukrainian utilities. In fact, it has been detected on the networks of US critical infrastructure operators. The Department of Homeland Security warned in October 2014 that it identified a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments." The campaign relied on a "variant of the BlackEnergy malware" and had been ongoing since at least 2011, according to DHS. 

At the time, DHS said it did not know of any attempts to "damage, modify, or otherwise disrupt the victim systems' control processes." DHS couldn’t "verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system."

But, experts worry, the Ukraine incident proves that such a leap is possible – and that attackers are willing to take it. "The point is: They had this information from the Ukrainian utilities," says Weiss. "The second point is: They have our information."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.