Experts: Ukrainian cyberattack on power supply a 'wake-up call' for US
A growing consensus is forming among experts听that a coordinated cyberattack on a Ukrainian electric utility caused a blackout late last month, raising hard new听questions for US policymakers and utilities about power grid security in this country.
"This is as big a wake-up call as you get," says听Joe Weiss, an industry expert on industrial control system used to run large and small utilities.
The attack occurred on Dec. 23 and caused blackouts for several hours in the听Ivano-Frankivsk region听of Ukraine. One affected utility, Kyivoblenergo, notified customers that the听outage resulted from an "illegal entry" into its information technology system. In all, 30 substations were disconnected from the grid in the attack, affecting some 80,000 customers.
While US cybersecurity experts and policymakers have long warned that hackers could take aim at utilities, Mr. Weiss and others say the grid is still too vulnerable to attack.听
One major problem, says Weiss, is that the energy industry's听current cybersecurity standard, the听North American Electric Reliability Corporation's听听plan,听exempts听many operators who are part of the US power grid. That includes听small power distributors such as听those听targeted in Ukraine.听Rather, the industry oversight group听focuses mostly on large power generators.
Unlike regulators, however, cybercriminals don't make bureaucratic distinctions about the likelihood of compromising a target or the size or function of the facilities they attack, Weiss says.
"The bad guys don鈥檛 have org charts. They don鈥檛 say, 'That鈥檚 outside of scope,' " he says. "Until we鈥檙e able to link software vulnerabilities to reliability and safety 鈥 until we look at both systems and their impact, we鈥檝e got a big problem."
Researchers at SANS Institute, a cybersecurity education nonprofit, are among those who听听that "cyberattacks were directly responsible for power outages in Ukraine."
Writing last week, SANS researcher Michael Assante said the incident in Ukraine is the听first, publicly acknowledged incursion in the energy sector control systems that resulted in a loss of service.
The attack is also notable for the attackers' apparent use of a distributed denial of service, or DDoS, attack against phone support centers operated by the utilities. That tactic blocked calls from customers to the utility and denied engineers another line of sight to what was transpiring on the network, Mr. Assante noted.
The security firm ESET was first to analyze the software discovered on the networks of the Ukrainian operators, connecting the attack to the听听dubbed "KillDisk" and "BlackEnergy," which had been used in attacks on media outlets during the 2015 Ukrainian local elections.
by the information security firm iSight Partners further linked malicious software used in the attacks with an ongoing malicious software campaign by a group dubbed "The Sandworm Team"听that has links to the Russian government.
"It鈥檚 gotten to the point of where we have a fairly solid attribution to The Sandworm Team," says Stephen Ward of iSight, which has been monitoring the activities of the hacking group since 2014.
Using malicious software attacks against听information technology听assets and then using that access to pivot to industrial systems is common in industrial cyberattacks, says Barack Perelman, chief executive officer of听, which sells industrial control system monitoring and security systems.
Attackers use their foothold on a network to exploit known vulnerabilities in听industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Previously undiscovered 鈥 or "zero-day" 鈥 vulnerabilities may be exploited, says Mr. Perelman.听But hackers can usually count on finding known and unpatched security holes or weakly secured industrial control and SCADA systems that offer little resistance, he says.听
Despite a growing consensus about the Ukrainian incident, many unanswered questions remain. Analysts have placed the听malicious BlackEnergy and KillDisk programs at the scene of the crime.听But more analysis is needed to determine if that malware was directly responsible for the blackout, security experts agree.
"We don鈥檛 know what additional payload was used to disrupt the power or whether they had capabilities for remote access and control," says Mr. Ward of iSight.
Weiss agrees. "This is a case where there is both smoke and fire. The issue is: We don鈥檛 know yet what caused the fire. We don鈥檛 know the specific mechanism by which the breakers were opened. We just know that they did open breakers and that鈥檚 how the lights went out."
The distinction is important, because BlackEnergy isn鈥檛 unique to Ukrainian utilities. In fact, it has been detected on the networks of US critical infrastructure operators. The Department of Homeland Security 听that it identified a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments." The campaign relied on a "variant of the BlackEnergy malware" and had been ongoing since at least 2011, according to DHS.听
At the time, DHS said it did not know of any attempts to "damage, modify, or otherwise disrupt the victim systems' control processes." DHS couldn鈥檛 "verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system."
But, experts worry, the听Ukraine incident proves that such a leap is possible 鈥 and that attackers are willing to take it. "The point is: They had this information from the Ukrainian utilities," says Weiss. "The second point is: They have our information."
听
