How Hackers Took Down a Power Grid
It was an unseasonably warm afternoon in Ukraine on Dec. 23 when the power suddenly went out for thousands of people in the capital, Kiev, and western parts of the country. While technicians struggled for several hours to turn the lights back on, frustrated customers got nothing but busy signals at their utilities’ call centers.
Almost immediately, Ukrainian security officials made claims about the cause of the power failure that evoked futuristic concepts of cyberwar. Hackers had taken down almost a quarter of the country’s power grid, they said. Specifically, the officials blamed Russians for tampering with the utilities’ software, then jamming the power companies’ phone lines to keep customers from alerting anyone.
Hacking a power grid: It sounds like the kind of doomsday scenario experts in the U.S. and Europe have warned about for years. “Imagine if someone shut down the power to New York’s traffic grid during rush hour,” says Tony Lawrence, chief executive officer of cybersecurity firm VOR Technology. “Cyber attacks against public utilities systems could have disastrous effects.” But the cybersecurity researchers investigating the power failure now say it’s clear this wasn’t the kind of sophisticated attack that could fell the U.S. in 15 minutes, as former White House counterterrorism chief Richard Clarke famously predicted.
“We always thought there would be this Pearl Harbor event. One day, someone would get mad enough, and they’d unleash the hounds of hell,” says Jason Larsen, a consultant with cybersecurity firm IOActive who specializes in industrial control systems. “That’s not really what we’ve seen.”
The Ukrainian hack knocked out at least 30 of the country’s 135 power substations for about six hours. Cybersecurity firms working to trace its origins say the attack occurred in two stages. First, hackers used malware to direct utilities’ industrial control computers to disconnect the substations. Then they inserted a wiper virus that made the computers inoperable.
Several of the firms researching the attack say signs point to Russians as the culprits. The malware found in the Ukrainian grid’s computers, BlackEnergy3, is a known weapon of only one hacking group—dubbed Sandworm by researcher ISight Partners—whose attacks closely align with the interests of the Russian government. The group carried out attacks against the Ukrainian government and NATO in 2014. The wiper virus was last seen in attacks against journalists covering local elections in Ukraine in October. “The targets are definitely in line with Russian geopolitical interests,” says John Hultquist, ISight’s director of cyber espionage analysis.
The more automated U.S. and European power grids are much tougher targets. To cloak Manhattan in darkness, hackers would likely need to discover flaws in the systems the utilities themselves don’t know exist before they could exploit them. In the Ukrainian attack, leading security experts believe the hackers simply located the grid controls and delivered a command that shut the power off. Older systems may be more vulnerable to such attacks, as modern industrial control software is better at recognizing and rejecting unauthorized commands, says IOActive’s Larsen.
That said, a successful hack of more advanced U.S. or European systems would be a lot harder to fix. Ukrainian utility workers restored power by rushing to each disabled substation and resetting circuit breakers manually. Hackers capable of scrambling New York’s power plant software would probably have to bypass safety mechanisms to run a generator or transformer hotter than normal, physically damaging the equipment. That could keep a substation offline for days or weeks, says Michael Assante, former chief security officer for the nonprofit North American Electric Reliability.
Hackers may have targeted Ukraine’s grid for the same reason NATO jets bombed Serbian power plants in 1999: to show the citizenry that its government was too weak to keep the lights on. The hackers may even have seen the attack as in-kind retaliation after sabotage left 1.2 million people in Kremlin-controlled Crimea without lights in November. In that case, saboteurs blew up pylons with explosives, then attacked the repair crews that came to fix them, creating a blackout that lasted for days. Researchers will continue to study the cyber attack in Ukraine, but the lesson may be that when it comes to war, a bomb still beats a keyboard.
The bottom line: Aging systems made the Ukraine grid easier to hack but also easier to get back up in hours. A successful U.S. attack could last weeks.