I wrote earlier this week about the possibility that a power outage in the Ukraine on December 23 had been caused by malware. It turns out that the outage was indeed caused by a cyber attack. Remarkably, this is the first time a power outage has been conclusively tied to malware. Clearly, cyber attacks against critical infrastructures like the power grid are no longer just an academic concern.
As originally suspected, portions of the Ukranian grid were brought down by a hacking tool called BlackEnergy. BlackEnergy was introduced in 2007 by a group called the Sandworm, a cyber espionage gang with Russian ties. Originally, BlackEnergy was primarily used for perpetrating denial-of-service attacks, which seek to make a website inaccessible by flooding it with random requests. Over time, BlackEnergy has evolved to be a swiss army knife for cyber spies. Its modular design enhances its flexibility, enabling cyber criminals to add new malicious features to it as they wish. Various modules were used, for example, to attack NATO and the Ukraine in 2014. Features to replace infected systems’ data with random data and to make hard drives unbootable were added recently. And a newer feature called KillDisk destroys critical parts of a computer hard drive. It now seemst that KillDisk also has the ability to sabotage industrial control systems.
In the case of the Ukranian power outage, it appears that the attacker was able to create an encrypted tunnel into the power system control network at three regional power system operating stations. Once in, the attacker disrupted the systems that communicate data from devices’ serial ports to the ethernet backbone that ties devices in the field to the regional control stations. Older equipment, in particular, communicate data using serial ports. In fact, serial ports were as common on home and office computers fifteen years ago as USB ports are today. Many utility devices still communicate using serial ports, and these have to be interfaced to ethernet, WiFi, or cellular singal for long-distance communication. The attackers seem to have interfered with that subsystem, making it impossible for devices in the field to communicate system conditions to the regional operators. The operators then had no visibility into the system while the attackers likely took portions of the grid offline. Details on exactly what portions of the grid were dismantled by the attackers and in what order have not yet been revealed.
Researchers have imagined ways that hackers could interrupt an industrial control network like the power grid for some time now. A paper even describes a testbed for evaluating attack scenarios so that operators can prepare for them. But this attack, which was started by something as banal as a Microsoft Office macro embedded in a document a recipient unsuspectingly opened, was no simulation. It demonstrates the very serious threat the electric power grid now faces when it comes to cyber attack.