Modern field guide to security and privacy

Hard lessons emerge from cyberattack on Ukraine's power grid

The ongoing investigation into a cyberattack that experts have linked to a December blackout in Ukraine reveals how vulnerable other power suppliers are to malware attacks.

Melanie Stetson Freeman/The Christian Science Monitor
Peiter Zatko (aka Mudge), founder of Cyber Independent Testing Laboratory, Robert M. Lee, chief executive officer of Dragos Security, and Michael Sulmeyer of Harvard University's Belfer Center's Cyber Security Project an event at Harvard to discuss the recent cyberattack on Ukraine's power grid.

A cyberattack linked to a December blackout in Ukraine signals new dangers for critical infrastructure operators such as power suppliers and other utilities, experts said Monday.

The fact is that many supervisory control and data acquisition (SCADA) systems – the type compromised in the Ukrainian attacks and utilized at countless other power facilities – aren't designed to be secure against digital attacks, said security researcher Peiter Zatko, also known by his hacker nom de gare Mudge.

"They were designed to be in isolated environments that don’t talk with the outside world," said Mr. Zatko. "You didn’t want these to be connected to the Internet.”

Zatko spoke at an event Monday cosponsored by Passcode and Harvard University's Belfer Center for Science and International Affairs to further explore the Ukraine cyberattack that many experts believe led to power outages for some 80,000 customers in the western region of Ivano-Frankivsk for nearly six hours. 

The incident has sent shockwaves throughout the critical infrastructure sector in the US and beyond, and follows recent reports of hackers linked to Iran breaching networks at a dam outside Rye, N.Y., and at the major power supplier Calpine Corp. Renewed concerns about digital threats to the power grid have also led the Pentagon's Defense Advanced Research Projects Agency (DARPA) to devote $77 million to helping utilities defend against and recover from future cyberattacks.

A former security researcher at DARPA, Zatko said that many critical infrastructure companies have simply ignored security patches for industrial networks and that often companies making software for these facilities aren't security conscious enough. "The developers writing the code aren't thinking about security."

It also appears that Ukrainian facilities involved in the attack weren't following industry guidelines that could prevent hackers from gaining access to essential systems. Reuters recently reported that power utilities in Ukraine ignored their own rules regarding "air gaps" – separating critical control systems from the Internet – before December's attack. 

Analysts still aren't certain of the exact timeline of the Ukraine attack. But according to research from SANS Institute, a nonprofit that specializes in cybersecurity training, attackers breached SCADA systems at the facilities, deployed malware to infect and damage servers, and attacked call centers at the utilities with a distributed denial of service attack.

Oleh Sych, a consultant to Ukrainian government officials investigating the attack, told Reuters that hackers probably used phishing e-mails designed to trick power operators into clicking on malicious documents, thus allowing them access to the network.

The cybersecurity intelligence firm iSightPartners said the group behind the attack could be connected to the Russia-linked Sandworm Team, which conducts cyberespionage operations. While many experts agree that the cyberattack led to the power outage, there's still no consensus about  how the hackers actually shut down parts of the power grid. 

"We've never had to deal with a cyberattack against the grid that took the power down," said Robert M. Lee, chief executive officer of Dragos Security and an instructor for the SANS Institute, who participated in the Monday event. “If [the US power grid] was ever impacted in more than one region, we couldn’t recover that easily.”

In a survey of 500 security leaders at critical infrastructure firms conducted by TrendMicro and the Organization of American States in 2015, 53 percent of responses indicated that attacks had increased over the past year. But despite the uptick in reports of breaches into utilities, experts said on Monday that cyber threat intelligence in the critical infrastructure sector has not improved much – as has been the case with companies in other industries. 

"The thing that bothers me is that we’re not looking into those environments," said Lee. "It's not trivial to take down the power grid."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.