Experts: Ukrainian cyberattack on power supply a 'wake-up call' for US
With consensus growing that hackers caused a widespread power outage in Ukraine last month, many security experts worry whether the US grid could withstand such an attack.
Reuters
A growing consensus is forming among expertsÌýthat a coordinated cyberattack on a Ukrainian electric utility caused a blackout late last month, raising hard newÌýquestions for US policymakers and utilities about power grid security in this country.
"This is as big a wake-up call as you get," saysÌýJoe Weiss, an industry expert on industrial control system used to run large and small utilities.
The attack occurred on Dec. 23 and caused blackouts for several hours in theÌýIvano-Frankivsk regionÌýof Ukraine. One affected utility, Kyivoblenergo, notified customers that theÌýoutage resulted from an "illegal entry" into its information technology system. In all, 30 substations were disconnected from the grid in the attack, affecting some 80,000 customers.
While US cybersecurity experts and policymakers have long warned that hackers could take aim at utilities, Mr. Weiss and others say the grid is still too vulnerable to attack.Ìý
One major problem, says Weiss, is that the energy industry'sÌýcurrent cybersecurity standard, theÌýNorth American Electric Reliability Corporation'sÌýÌýplan,ÌýexemptsÌýmany operators who are part of the US power grid. That includesÌýsmall power distributors such asÌýthoseÌýtargeted in Ukraine.ÌýRather, the industry oversight groupÌýfocuses mostly on large power generators.
Unlike regulators, however, cybercriminals don't make bureaucratic distinctions about the likelihood of compromising a target or the size or function of the facilities they attack, Weiss says.
"The bad guys don’t have org charts. They don’t say, 'That’s outside of scope,' " he says. "Until we’re able to link software vulnerabilities to reliability and safety – until we look at both systems and their impact, we’ve got a big problem."
Researchers at SANS Institute, a cybersecurity education nonprofit, are among those whoÌýÌýthat "cyberattacks were directly responsible for power outages in Ukraine."
Writing last week, SANS researcher Michael Assante said the incident in Ukraine is theÌýfirst, publicly acknowledged incursion in the energy sector control systems that resulted in a loss of service.
The attack is also notable for the attackers' apparent use of a distributed denial of service, or DDoS, attack against phone support centers operated by the utilities. That tactic blocked calls from customers to the utility and denied engineers another line of sight to what was transpiring on the network, Mr. Assante noted.
The security firm ESET was first to analyze the software discovered on the networks of the Ukrainian operators, connecting the attack to theÌýÌýdubbed "KillDisk" and "BlackEnergy," which had been used in attacks on media outlets during the 2015 Ukrainian local elections.
by the information security firm iSight Partners further linked malicious software used in the attacks with an ongoing malicious software campaign by a group dubbed "The Sandworm Team"Ìýthat has links to the Russian government.
"It’s gotten to the point of where we have a fairly solid attribution to The Sandworm Team," says Stephen Ward of iSight, which has been monitoring the activities of the hacking group since 2014.
Using malicious software attacks againstÌýinformation technologyÌýassets and then using that access to pivot to industrial systems is common in industrial cyberattacks, says Barack Perelman, chief executive officer ofÌý, which sells industrial control system monitoring and security systems.
Attackers use their foothold on a network to exploit known vulnerabilities inÌýindustrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Previously undiscovered – or "zero-day" – vulnerabilities may be exploited, says Mr. Perelman.ÌýBut hackers can usually count on finding known and unpatched security holes or weakly secured industrial control and SCADA systems that offer little resistance, he says.Ìý
Despite a growing consensus about the Ukrainian incident, many unanswered questions remain. Analysts have placed theÌýmalicious BlackEnergy and KillDisk programs at the scene of the crime.ÌýBut more analysis is needed to determine if that malware was directly responsible for the blackout, security experts agree.
"We don’t know what additional payload was used to disrupt the power or whether they had capabilities for remote access and control," says Mr. Ward of iSight.
Weiss agrees. "This is a case where there is both smoke and fire. The issue is: We don’t know yet what caused the fire. We don’t know the specific mechanism by which the breakers were opened. We just know that they did open breakers and that’s how the lights went out."
The distinction is important, because BlackEnergy isn’t unique to Ukrainian utilities. In fact, it has been detected on the networks of US critical infrastructure operators. The Department of Homeland Security Ìýthat it identified a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments." The campaign relied on a "variant of the BlackEnergy malware" and had been ongoing since at least 2011, according to DHS.Ìý
At the time, DHS said it did not know of any attempts to "damage, modify, or otherwise disrupt the victim systems' control processes." DHS couldn’t "verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system."
But, experts worry, theÌýUkraine incident proves that such a leap is possible – and that attackers are willing to take it. "The point is: They had this information from the Ukrainian utilities," says Weiss. "The second point is: They have our information."
Ìý