Russians Have Learned How to Hack Power Grids
A successful cyber-attack on a power grid is a nightmare that keeps intelligence services and security experts awake at night. Now the threat is no longer theoretical: A grid in Ukraine has been brought down by hackers. The vulnerability they used? As so often with hacking, human stupidity.
The engineered blackout scenario is so scary Ted Koppel, the former Nightline host, recently published a book about it. In "Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath," Koppel claimed the U.S. was unprepared for an attack on one of the three power grids that distribute electricity throughout the country. He wrote:
If an adversary of this country has as its goal inflicting maximum damage and pain on the largest number of Americans, there may not be a more productive target than one of our electric power grids.
Ukraine has an adversary that may be interested in inflicting just such damage and pain: Russia. In November, Ukrainian activists with ties to President Petro Poroshenko's political party cut off the electricity supply to Russian-held Crimea, by blowing up power transmission towers. That forced Moscow to speed up the construction of an undersea "energy bridge" to the peninsula, but the line is still unable to meet all of Crimea's electricity needs and power outages remain common.
Ukraine got a taste of the same disruption on Dec. 23, when power went out for 1.4 million people in and around Ivano-Frankivsk in western Ukraine. Almost immediately, the grid holder for the area, Prykarpattya Oblenergo, reported that the outage was caused by "interference by outside persons with the work of telemechanics in the automatic system of control and management of energy equipment." Five days later, the Ukrainian intelligence service reported it had prevented "an attempt by Russian special services to attack the computer networks of Ukraine's energy complex" -- meaning there could have been more outages, but the agency had been able to head them off.
More specifics came from the Bratislava-based cybersecurity firm ESET. The firm hedged its bets a little -- that's always wise in hacker attack analysis -- but it essentially tied the Ivano-Frankivsk outage to a known piece of malware, the BlackEnergy trojan. In previous cases, it was used to steal sensitive information from infected computers. In 2014, however, the U.S. government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) discovered a variant of BlackEnergy that could be used to compromise industrial control systems, such as those running power grids.
The trojan is modular, meaning that it can carry different payloads. In the case of the Ukrainian grid hacking, these included a component that stops certain processes in the grid control systems, even as it erases the disk of the infected computer. At the same time it opens a backdoor into the grid control systems that could provide hackers with remote access. ESET wrote:
We can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage in the Ivano-Frankivsk region.
BlackEnergy is probably a Russian-made weapon. CERT-UA, the Ukrainian cybercrime rapid response team, recently published a post describing a BlackEnergy attack on some Ukrainian media. The names of some of the files planted on infected computers by the virus -- ololo.exe and trololo.exe -- are references to Russian Internet memes. ESET researcher Anton Cherepanov has pointed out other such clues.
That this weapon has been honed to turn out the lights for large portions of a country is bad news. If it can be used in Ukraine, it can be employed anywhere in the world. That includes the U.S., where Islamic State is reportedly already trying to hack the power grid, but failing due to a lack of the necessary technology. In his book, Koppel wrote:
We can take limited comfort in the knowledge that such an attack would require painstaking preparation and a highly sophisticated understanding of how the system works and where its vulnerabilities lie. Less reassuring is the knowledge that several nations already have that expertise, and -- even more unsettling -- that criminal and terrorist organizations are in the process of acquiring it.
If the technology capable of bringing down power grids exists anywhere, it can leak or be intentionally leaked to anyone who might need it. So can the knowledge of specific industrial systems.
Power grid computer systems can't be taken off the Internet, because the grids depend on software that constantly monitors the balance of electricity demand and supply. That makes them vulnerable by definition: If you have an Internet-connected system, people have access to it and there's a potential problem.
BlackEnergy infects computers thanks to a simple trick. The Ukrainian company CyS Centrum described it in a recent blog post. People within targeted companies received an e-mail purportedly containing a presidential decree on military mobilization and Excel files containing lists of the company employees to be mobilized and exempted. Having opened one of the files, the user is prompted to turn on macros because "the file had been created with a newer version of Microsoft Office." Once that's done, so is the damage.
Everyone who has ears and a computer has been told hundreds of times not to open mail attachments that arrive without prior warning, even from reliable senders. And yet people all over the world still do it.
Disgruntled employees are another constant source of danger. In Texas in 2009, one allegedly sabotaged the demand and supply monitoring system of a power generation company. He didn't cause a blackout, but with the proper tools, he could have.
The only way to prevent incidents like the hours-long Ivano-Frankivsk blackout is to train energy company employees in the safe use of e-mail (or even make it impossible for them to open attachments), to make sure ex-employees cannot help criminals gain access to the corporate systems, and to promote energy independence to citizens. The more people have solar batteries, the less damage a blackout can do.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Marc Champion at email@example.com