Security experts are growing more certain that a Dec. 23 power outage in western Ukraine was a coordinated cyberattack, marking the first time hackers cut off electricity using digital tools.
News of the suspected cyberattack first trickled out late on Dec. 23, when the Ukrainian electricity provider Prykarpattyaoblenergo reported disruptions in and around the city of Ivano-Frankivsk. The hourslong power outage was widespread enough to get the attention of U.S. government analysts and grid security experts keeping a close eye on cyberthreats.
"We assess with high confidence, based on company statements, media reports, and first-hand analysis, that the incident was due to a coordinated intentional attack," wrote Michael Assante, a grid expert at the SANS Institute, a top security training center based in Bethesda, Md., in a blog post Saturday.
"As a community, the power industry is dedicated to keeping the lights on," he added. "What is now true is that a coordinated cyberattack consisting of multiple elements is one of the expected hazards they may face."
Assante, the former top security officer of the North American Electric Reliability Corp., classified the Ukraine blackout as a "malware-enabled" attack rather than "malware-caused." In other words, malicious code allowed the unknown assailants into Ukraine’s electricity network. From there, they could take over the controls.
A "malware-caused" assault would involve a cyber weapon designed to damage the electricity provider’s physical assets.
The coordinated effort to take down a power distributor in Ukraine in the middle of winter could make cybersecurity history. It "demonstrated planning," Assante noted. Still, experts say such an attack has been a long time coming.
"Honestly, it’s just not surprising," said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center and executive director of Webster University’s Cyberspace Research Institute. "What exactly [the Ukraine case] in retrospect turns out to be notwithstanding, it’s interesting that there’s quite a large community not overwhelmingly shocked at this — which is a good sign. General awareness is pretty high."
Many control system operators woke up to the possibility that a cyberattack could damage infrastructure in 2010, when news of the Stuxnet worm began trickling out. Costly, complex and reportedly a product of U.S. and Israeli intelligence services, Stuxnet took aim at centrifuges by infecting Siemens industrial software. The computer virus is widely credited with hampering progress on Tehran’s nuclear program in the late 2000s.
Since then, senior U.S. officials have spoken broadly of urgent cyberthreats to critical infrastructure, and analysts have documented a few close calls. But despite a string of breaches at major retailers and government agencies, malware didn’t cause physical damage again until cyber authorities in Germany reported "massive" damage to a blast furnace at an unnamed steel mill in late 2014.
Now, little more than a year later, the power outage in Ukraine is being investigated for links to a group of suspected Russian hackers known as Sandworm.
Blask placed the Ukraine case on "an ongoing curve of inevitability" given lax security practices at many critical infrastructure organizations around the globe. Unlike their counterparts in the United States, grid operators in the European Union don’t have to contend with enforceable cybersecurity standards. A quarter of E.U. member states haven’t even considered policies for securing industrial networks (EnergyWire, Dec. 14, 2015). Ukraine, which is not part of the European Union, set up a commission in the wake of the Dec. 23 power outages to issue recommendations on best cyber practices for control systems.
The nonprofit Electricity Information Sharing and Analysis Center issued an analysis to member utilities across North America and "has been tracking the event in the Ukraine," said spokeswoman Kimberly Mielcarek.
She pointed out that while malicious code recovered from the attack was derived from the well-known BlackEnergy strain, authorities haven’t yet confirmed that the malware directly caused the power outage.
"It is very possible the outage had a non-cyber cause and assets infected with BlackEnergy were uncovered as part of the investigation," Mielcarek said in an emailed statement, adding that "to date, the E-ISAC is not aware of any North American electric sector members that have been affected by BlackEnergy."
A ‘predictable’ milestone
The BlackEnergy malware platform was the weapon of choice for the Sandworm actors, who spied on critical infrastructure systems in Eastern Europe two years ago without actually harming them.
At the time, the attackers demonstrated a "worrying" interest in the supervisory control and data acquisition (SCADA) systems that keep most modern power grids running smoothly (EnergyWire, Oct. 20, 2014).
John Hultquist, head of intelligence for cyber espionage at security firm iSIGHT Partners Inc., said in a blog post last week that Sandworm may be behind the recent power outage in Ukraine.
"A cyber attack of this nature is a milestone — although a predictable one," he wrote. "The aggressive nature of Sandworm Team’s previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack."
Analysts say the persistence and sophistication of the Sandworm group point to involvement from a nation-state — possibly Russia. Navy Adm. Michael Rogers, director of the National Security Agency, has said that only China and perhaps "one or two other" countries could take out parts of the grid with cyber weapons, a feat easier said than done.
Russia has been engaged in a bloody conflict with Ukraine ever since annexing the Crimean Peninsula in March 2014. Since then, thousands of Ukrainians and Russian separatists have died in a war waged predominantly in the eastern part of the country.
The U.S. Department of Homeland Security and the National Security Council declined to comment on the Ukraine event. Ukraine’s security service has blamed Russia for infecting regional power networks with a version of the BlackEnergy malware.
Barak Perelman, CEO and co-founder of Israeli industrial control system cybersecurity startup Indegy, said that even if Russia does turn out to be the culprit in Ukraine, U.S. companies should still pay heed.
"There doesn’t have to be a nation-state behind [a cyberattack] to cause damage," he said. "It doesn’t have to be millions of dollars of investment, because the ICS systems are extremely old and lack security by design."
Of the Ukraine incident, he added that if it does turn out to be a cyberattack, "no one would consider this a shock."
Perelman suggested that industrial managers in other sectors — such as oil, gas and manufacturing — could take lessons away from BlackEnergy’s apparent resurgence. But he’s not sure that the Ukraine case will be a "watershed" moment for the ICS community in the United States, given the slow response to Stuxnet.
"U.S. companies tend to focus much less on events outside the U.S. or Western Europe, meaning the Iranian [Stuxnet] incidents were dismissed as, ‘It happened over there, and our systems are better.’"
