Menu

Search

  |   Insights & Views

Menu

  |   Insights & Views

Search

Cyberattack on Ukraine grid: here's how it worked and perhaps why it was done

Could the hack that took out the power grid in Ukraine happen in the U.S.? rainchurch/flickr, CC BY-SA

On December 23, 2015, two days before Christmas, the power grid in the Ivano-Frankivsk region of Ukraine went down for a reported six hours, leaving about half the homes in the region with a population of 1.4 million without power, according to the Ukrainian news media outlet TSN.

It reported that the cause of the power outage was a “hacker attack” utilizing a “virus.” Outages were caused when substations – devices that route power and change voltages – were disconnected from the grid, TSN said.

There have been a handful of documented attacks on the power grid and control systems of energy systems, such as oil refineries. But this cyberattack in Ukraine counts as only the second or third to successfully derail power delivery using a software-based attack.

Because of its success, the incident has sent shock waves through cybersecurity circles. How was this attack carried out? And could something similar happen in other countries?

Stuxnet to BlackEnergy

Cyberattacks designed to take out the power grid have been a big concern of security specialists for many years.

Much of the concern has been focused on potential attacks on the control systems, called Supervisory Control and Data Acquisition (SCADA) systems, on which power grids are highly dependent for safe, reliable and secure operation. SCADA systems also provide critical data for operations, automation and remote control.

Some computer worms have been specifically designed to attack the types of control systems commonly found in power utilities. The most well-known is called Stuxnet, which was used to compromise Iran’s uranium enrichment facilities. But a variety of similar worms have been developed that experts have feared would be used to bring down the power grid.

While the Ukraine outages were reported to involve only one utility, Prykarpattyaoblenergo, evidence of computer malware known as Blackenergy was identified at that utility and two other regional utilities. Samples of the suspect code have since been studied, and various security companies, including iSight Partners, EBET, and SANS-ICS, have verified that it contained elements of the Blackenergy malware.

The BlackEnergy malware is generally associated with a group referred to as Sandworm, which is believed to be based in Russia. It is not clear if Sandworm has an association with the Russian government.

Growing sophistication

BlackEnergy started as a malware system for launching denial-of-service (DoS) attacks, which are designed to prevent legitimate users from accessing a server by any one of a number of possible mechanisms. BlackEnergy has since evolved into an effective system for data exfiltration, or the unauthorized transfer of data from a computer. Such a transfer may be manual and carried out by someone able to access the computer, or it may be automated and carried out through malicious programming placed on the computer being attacked.

About two years ago, a new version of BlackEnergy began to appear with new functions that included stealing passwords, covertly taking screenshots, gaining persistent access to command and control channels and destroying hard drives.

More recently, security software maker ESET found evidence of several new features, including a wiper component dubbed KillDisk. A wiper is software designed to erase portions of a disk and can be used to cover up evidence of an attack. In the Ukraine attack, it is not clear if Blackenergy was used, but some of its components were present; in particular, there is evidence of KillDisk.

Some experts contend that this may not technically have been be a cyberattack. The malware allowed attackers to manually intervene in the grid’s operation; by contrast, the Stuxnet software inflicted damage on industrial machines as was.

Regardless, there was a sophisticated attack that required coordination of different types of malware, which appear to have enabled the attack.

Worries over disabling nuclear plants

The Ukrainian power grid has several attributes that cause some special concern.

The bulk of the power production at any time is provided by nuclear power plants, which provide most of the steady “baseload” power to supply electricity through most of the day.

To meet fluctuations in demand – for instance, increases in power use in the morning as people begin their day – grid operators in Ukraine primarily rely on coal power plants. They do not have many avenues to import power from other countries to meet spikes and dips in demand.

Soviet-era nuclear power plants provide the bulk of the baseload, or steady, round-the-clock power, in Ukraine. A major outage could cause problems at these plants, including cooling the reactor cores. paszczak000/flickr, CC BY-SA

This situation means that if an cyberattack causes a power outage, Ukraine grid operators may not be able to respond rapidly enough and export an excess in the flow of power, which would lead to grid instabilities and the need to shut down nuclear reactors.

There is also the issue of cooling of reactors in the event of a power outage. The cooling pumps in the nuclear reactors in Ukraine are dependent on AC power input from the grid, thereby making them susceptible in the event that backup diesel generators cannot be started.

Broader concerns

Could this happen in the West? In short, yes. U.S. utilities use software products from various major vendors which have been the targets of a Sandworm BlackEnergy campaign.

Thus far, there doesn’t seem to have been any financial benefit from the attack. What’s more, when attackers use malware, they expose their methodology, which makes it possible for security people to develop protections for that line of attack. So we have to wonder what they had to gain from the exercise.

If they have nothing to gain in the short term, like robbing banks while the grid is down, did they gain valuable experience for their next, more effective attack?

The ability to hack into a utility to throw switches (breakers) at substations, as was done in Ukraine, opens up the possibility of more serious types of attacks, as was demonstrated by the Aurora Test. In that controlled experiment, circuit breakers associated with a generator were opened and closed using software in a way that resulted in permanent damage to equipment.

While it’s hard to know the attackers' intentions for sure, it appears likely that the Ukraine power grid was attacked with at least the help of the BlackEnergy malware, increasing the technological potential for disrupting power grids in general.

This incident underscores the need for diligence and the increased effort in cybersecurity that we are seeing in the government and private sectors. The continuously increasing dependence on the power grid is driving the need for cybersecurity to be part of the design of all new systems.

The ConversationMichael McElfresh works part-time for Argonne National Lab that does research in this area and receives funding for this research. I work for Argonne on power grid research but not specifically in cyber. They could benefit from credit for this article.

Michael McElfresh, Adjunct Professor of Electrical Engineering, Santa Clara University

This article was originally published on The Conversation. Read the original article.

The Conversation

  • ET PRO
  • Market Data

Market-moving news and views, 24 hours a day >

November 24 15:30 UTC Released

USECRI Weekly Index*

Actual

145.6 %

Forecast

Previous

145.6 %

November 24 14:45 UTC Released

US1st Half-Mth Infl YY*

Actual

54.6 %

Forecast

Previous

54.6 %

November 27 09:00 UTC 29672967m

ITExport Prices*

Actual

Forecast

Previous

111 %

November 27 09:00 UTC 29672967m

ITImport Prices*

Actual

Forecast

Previous

116.1 %

November 27 14:00 UTC 32673267m

MXTrade Balance, $*

Actual

Forecast

Previous

-1.886 Bln USD

November 27 14:00 UTC 32673267m

MXTrade Balance SA*

Actual

Forecast

Previous

-1.559 Bln USD

November 27 15:30 UTC 33573357m

USDallas Fed mfg bus index

Actual

Forecast

Previous

27.6

November 27 21:00 UTC 36873687m

KRBOK Manufacturing BSI*

Actual

Forecast

Previous

87 Bln BRL

November 28 00:00 UTC 38673867m

BRCentral Govt Balance

Actual

Forecast

Previous

-22.725 Bln BRL

November 28 07:00 UTC 42874287m

DEGDP Growth QQ* Advance

Actual

Forecast

Previous

10.7 %

Close

Welcome to EconoTimes

Sign up for daily updates for the most important
stories unfolding in the global economy.