Grid securityCyberattack on Ukraine grid: here’s how it worked and perhaps why it was done
On 23 December 2015, two days before Christmas, the power grid in the Ivano-Frankivsk region of Ukraine went down for a reported six hours, leaving about half the homes in the region with a population of 1.4 million without power. Because of its success, the incident has sent shock waves through cybersecurity circles. Could this happen in the West? In short, yes. This incident underscores the need for diligence and the increased effort in cybersecurity that we are seeing in the government and private sectors. The continuously increasing dependence on the power grid is driving the need for cybersecurity to be part of the design of all new systems.
On 23 December 2015, two days before Christmas, the power grid in the Ivano-Frankivsk region of Ukraine went down for a reported six hours, leaving about half the homes in the region with a population of 1.4 million without power, according to the Ukrainian news media outlet TSN.
It reported that the cause of the power outage was a “hacker attack” utilizing a “virus.” Outages were caused when substations — devices that route power and change voltages — were disconnected from the grid, TSN said.
There have been a handful of documented attacks on the power grid and control systems of energy systems, such as oil refineries. But this cyberattack in Ukraine counts as only the second or third to successfully derail power delivery using a software-based attack.
Because of its success, the incident has sent shock waves through cybersecurity circles. How was this attack carried out? And could something similar happen in other countries?
Stuxnet to BlackEnergy
Cyberattacks designed to take out the power grid have been a big concern of security specialists for many years.
Much of the concern has been focused on potential attacks on the control systems, called Supervisory Control and Data Acquisition (SCADA) systems, on which power grids are highly dependent for safe, reliable and secure operation. SCADA systems also provide critical data for operations, automation and remote control.
Some computer worms have been specifically designed to attack the types of control systems commonly found in power utilities. The most well-known is called Stuxnet, which was used to compromise Iran’s uranium enrichment facilities. But a variety of similar worms have been developed that experts have feared would be used to bring down the power grid.
While the Ukraine outages were reported to involve only one utility, Prykarpattyaoblenergo, evidence of computer malware known as Blackenergy was identified at that utility and two other regional utilities. Samples of the suspect code have since been studied, and various security companies, including iSight Partners, EBET, and SANS-ICS, have verified that it contained elements of the Blackenergy malware.
The BlackEnergy malware is generally associated with a group referred to as Sandworm, which is believed to be based in Russia. It is not clear if Sandworm has an association with the Russian government.
