Archer

Cybersecurity experts confirm that cyber invaders used coordinated cyber attacks to take down the grid.

It looked like a cyber attack, but questions remained. Tonight, 17 days after surprise blackouts in Ukraine, researchers at the SANS Institute confirm cyber intruders shut down power completely through cyber means.

It is a first-of-its-kind case that has implications for every power company in the world, and for customers who rely on power to live and work.

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA (supervisory control and data acquisition system) servers after they caused the outage,” wrote Michael Assante with the SANS Institute. 

Assante broke down what researchers know about how the attack happened.

“This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact,” he said.

Researchers at ESET told Archer News they found malware on the system, and CyS Centrum reported that the malware may have been delivered to the energy companies in 2014 or earlier in 2015. Assante said he does not believe malware caused the attack itself, but assisted in the process.

“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information,” Assante said. “The malware also appears to have been used to wipe files in an attempt to deny the use of the SCADA system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration.”

Researchers are still trying to find out how cyber attackers actually shut down power.

Effects on the system

Power companies typically find out about outages from their customers.

“A denial of service attack on the outage call center phone lines—via robo calls or other similar methods—would definitely prevent customers from calling in to report outages, and would affect the outage management system,” said Chris Sistrunk, an ICS (industrial control systems) security consultant with Mandiant, a FireEye company.

Power companies have other ways of learning about outages

“The utilities must rely on SCADA indication of line and feeder outages, plus any smart meters they may have,” said Sistrunk.

However, some analysts said the SCADA information might not have been available during the attack, and operators may have been “driving blind.” That could worsen the effects of the attack.

What power companies did

The power companies in the capital city of Kiev and the region of Ivano-Frankivsk worked quickly, Assante said.

“Quick action by utility staff to switch to ‘manual mode’ and restore the system was impressive,” he said. “Field staff at the impacted power companies manned required substations, transferring from ‘automatic to manual mode,’ and manually re-closed breakers to energize the system.”

“In many ways, the Ukrainian operators should be commended for their diligence and restoration efforts,” he added. 

Power was restored in three to six hours, which experts say is very fast in this kind of situation, especially if the companies lost HMI’s (human machine interfaces) and had to rebuild systems.

“Ukraine demonstrated the skill and responsiveness that is a strong part of the electric utility culture,” said Patrick C. Miller of Archer Security Group. “No utility wants to go to manual mode, but it sounds like they acted fast and contained the outage. Had this been a prolonged attack that affected a larger part of the transmission system, this could have been a different story.”

Timeline

The SANS Institute laid out this timeline of events for the attack:

  • The adversary initiated an intrusion into production SCADA systems
  • Infected workstations and servers
  • Acted to “blind” the dispatchers
  • Acted to damage the SCADA system hosts (servers and workstations)
  • Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
  • Action can also make forensics more difficult
  • Flooded the call centers to deny customers calling to report power out

There are still missing pieces to the attack, Assante said. He listed three further potential milestones.

“Understanding the initial foothold of the adversary, the eventual impact, and the types of systems in place can help to make assessments on what the adversary likely had to have done, but the items stated below are currently probable and not known. We are working to verify and uncover more information.

  • The adversaries infected workstations and moved through the environment
  • Acted to open breakers and cause the outage (assessed through technical analysis of the Ukrainian SCADA system in comparison to the impact)
  • Initiated a possible DDoS on the company websites

A new world

Cybersecurity experts say this means that cyber invaders have moved into new territory, and power companies must be ready for these new kinds of attacks.

“Utilities respond to outages all the time. Weather, natural disaster—and we can now add cyber attack to the list,” said Miller.

“What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards they may face,” Assante said. “We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.”

“This attack on distribution power companies is unacceptable,” said Sistrunk. “Thankfully, the companies had a quick response.”

“All distribution companies should consider adding security teams, hardening their networks, and adding tools to defend their systems. It’s clear that the line has been crossed,” he added.