Around two years ago I wrote at Terrorism and the Electric Power Delivery System posting that Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.
Now it seems that cyber-terrorism hitting electrical power networks is reality: Ukraine blackout is a cyberattack milestone a first for hackers with ill intent. Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack. Hundreds of thousands of homes in the Ivano-Frankivsk region of the country were left without electricity as a result of the attack on December 23.
Experts widely describe the incident as the first known power outage caused by a cyber attack. For some time there has some news and theories that blackout could be caused by cyber-attack, and now it seems to be confirmed by SANS ICS . After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine. It seem to be pretty clear that the incident was due to a coordinated intentional attack. It looks like the attack was enabled via malware but consisted of at least three distinct efforts. There was malware and possible direct remote access to blind system dispatchers that were used to cause undesirable state changes to the distribution electricity infrastructure (direct interaction from the adversary). There was also attempt to delay the restoration by wiping SCADA server. There was also a denial of service to the phone systems. This was a multi-pronged attack against multiple facilities. Security researchers at antivirus provider ESET stated that Ukrainian power companies were infected with “BlackEnergy” malware which can install KillDisk malware or make use of a SSH backdoor to provide attackers with remote access.
ESET stated that the power authorities were hit with malware via social engineering after using malicious macro functions in Microsoft Office documents. This attack is a rare public example of hackers taking out critical infrastructure and another sign of the rising digitization of warfare.
It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout. What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards (electric utilities) may face. We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.
In this case The utility’s operators were able to quickly recover by switching to manual operations, essentially disconnecting infected workstations and servers from the grid. If the perator would not have that manual control option, the blackout could have lasted longer and/or been larger.
This is exactly how the next big shit will go down. Take out electricity for more than 24h, you stop a city. 48h and there’s riots. 72h, people start to die. A week, even the Reserve/Army/National Guard will have trouble containing. A month, thousands die. As a community the power industry is dedicated to keeping the lights on. Maybe this right here is what we should be afraid of: Solar flares, cyberattacks, anything that can compromise our power grid.