Since December of 2015, electric utilities in the United States and Canada have been wrestling with the postmortem reports and data findings from two significant grid hacking events in Ukraine. The subject of these attacks have been addressed by those on Capitol Hill, trade associations, regulators, and the E-ISAC.
The hackers who struck utilities in Ukraine, which is the first confirmed hack to degrade a power grid, weren’t opportunists who just stumbled across the networks and launched an attack to test their abilities. The attackers were highly skilled and planned their assault over many months, first doing reconnaissance to study the networks and steal operator credentials, then launching a synchronized attack against operating systems.
The perpetrators of a cyberattack on Ukraine's electric grid gained access to energy distribution company systems more than six months before causing the Dec. 23, 2015 outage that temporarily left about 225,000 customers without power. The attackers staged a well-coordinated attack that relied on deep reconnaissance over a six-month period.
This unprecedented attack is a wake-up call for North American utilities. The attack took part in two phases. In the first stage, the adversaries "weaponized" Microsoft Office documents by embedding malware called BlackEnergy 3. The attackers delivered a targeted email with a malicious attachment that appeared to come from a trusted source to specific individuals within the organizations. Those individuals were asked to enable macros in order to open the attachments – thus installing the malware on their systems and allowing the attackers to access the company system(s). The adversaries then stole credentials that allowed them to "pivot" into supervisory control and data acquisition, or SCADA, and dispatch workstations and servers.
In stage two, the attackers learned how to interact with the utilities' distribution management systems, which monitor and control the distribution of power. The perpetrators also developed malicious firmware to attack serial-to-ethernet devices at substations. They installed modified KillDisk software, which erases the record of impacted organization systems and delete logs, and then took control of operator workstations and locked the operators out. To complete the attack, the adversaries used part of the SCADA system to open breakers at several substations, preventing power from flowing across the lines. At least 27 substations were taken offline across three Ukrainian energy companies (Prykarpattyaoblenergo, Kyivoblenergo and Chernivtsioblenergo) for several hours, affecting about 225,000 customers.
A second event took place on Dec. 17, 2016 (around midnight) at Ukrenergo, a Ukranian energy firm in the northern side of Kiev. The attack focused on transmission facilities and shut down the remote terminal units (RTU) that control circuit breakers, causing a power outage for about an hour.
Who did it?
Based off of the known details about the attack, the finger has been pointed at Russia. They are assuming a more assertive cyber posture based on their willingness to target critical infrastructure systems and conduct espionage operations. It has been widely assumed that the Ukraine attack is attributed to Sandworm, a Russian cyber espionage group known to have been harassing Ukrainian officials and their allies as early as 2007. Honestly, the who-did-it piece of this puzzle is unimportant. Direct attribution is unnecessary to learn from this attack and to consider future mitigations.
Information sharing will be crucial to helping the U.S. stave off similar potential attacks. NERC and the E-ISAC are communicating with utilities about indicators of compromise, malicious IP addresses found by members, and how to best mitigate cyber and physical threats. Information sharing is the key, not only between NERC and industry, but also federal partners and intelligence agencies.
The U.S. has never experienced a massive cyber-attack related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware and advanced persistent threats, or APTs, left behind on computers by phishing attacks. The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous.
It is vital that the public and private sectors work together to share relevant threat information. Over the past few years, DHS, the FBI, and the Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts, and secret-level briefings. These data points have been used to mitigate threats, reduce risk, and update internal security policies.
This data flow has enhanced communications between security teams, management, and board members by providing authoritative threat warnings. Ultimately, information sharing is a two-way street. Private sector entities must remove the words “compliance risk” from their lexicon and readily share timely information as it happens. Nobody knows their systems better than they do. Cybersecurity alerts coming from industry professionals are imperative to the collaborative exchange process. Simultaneously, federal intelligence partners must alert those within the private sector who actually have the ability to mitigate threats. This partnership can become stronger and timelier with additional security clearances given to the private sector.
The power industry’s Achilles' heel
There are very few differences between U.S. and Ukrainian vulnerabilities at the power distribution level. Many recognize distribution as the potential “enemy avenue of approach” for the electricity sector. From a government and policy perspective, the NERC CIP standards do not apply to distribution. The fact that a major attack has caused an outage like this should be alarming to critical infrastructure operators. This type of cyber-attack is a real scenario and the threat of it must be further examined by utilities as they consider “target hardening” measures for distribution facilities below 100 kV.
Is NERC CIP the answer…? Maybe, but implementing such a mandate would currently need to come from individual State Public Utility Commissions, and not NERC due to federal law (Section 215 Federal Power Act). Would additional standards for distribution entities be useful? It would bring cyber-consistency to utilities at the lower voltage levels. It should be pointed out that a lot of great work is being done in this area, including the recently released Cybersecurity Primer for State Utility Regulators.
NERC and the industry have gone through multiple iterations of mandatory Critical Infrastructure Protection Standards that focus on security protections. These reliability standards are the only mandatory cyber standards enforced on critical infrastructure owners and operators. So, standards have their place. It’s important to remember, these are minimum standards, and should be looked at as a baseline from which to improve. Security cannot be static; threats evolve and so must we. Utilities should constantly be assessing their systems, patching their software, and testing their recovery procedures.
This article is published as part of the IDG Contributor Network. Want to Join?