‘..the first known power outage caused by hackers and also the most complex cyber-attack on infrastructure to date.’ The Institute of Engineering and Technology, Jan 19, 2016
On December 23, 2015 an outage in Western Ukraine’s Prykarpattya Oblenergo and Kyivoblenergo power distribution networks lost power between three to six hours,affecting between 80,000-700,000 customers. Recently the Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) reported that the outage was likely caused by a well-coordinated cyber-attack. The attack was well-coordinated, and done with knowledge of the power utility’s internal systems, as they affected multiple business processes. According to the US based security firm SANS Institute’s Industrial Control Systems (SANS ICS) blog the attackers used Blackenergy3 malware to shield their actions from system operators, accessed infected computers and opened breakers to cause the outage, and then flooded the call centers so customers calling could not report the outage. Also found was the KillDisk disk eraser program. It is thought to have been used to wipe disks in order to delay or prevent the use of SCADA for restoration efforts and to cover the attacker’s electronic tracks. The Blackenergy3 malware and Killdisk application appear to have entered the Utility via a spear phishing attack via a Microsoft Office related attachment. Once infected, the attackers accessed and navigated the Utility network through infected control system workstations which were connected to the Internet. ICS-CERT state recommends that utilities take defensive measures to minimize the risk of exploitation due to this unsecure device configuration. Specifically, utility leaders should:
In addition to the ICS-CERT recommendations, I recommend the following additional actions:
Prior to the advent of the smart grid, the Utility industry’s security focus was primarily concerned with the physical security of a field site, through the use of perimeter fencing and detection, card readers, biometric readers, video cameras, etc. As the number of connected devices increases within a Utility network, past cybersecurity events, such as Stuxnet in Iran, Havex in Europe, and now the Ukraine power outage, all serve as reminders that increased cybersecurity diligence is required in the Utility power grid.
West Monroe Partners