A successful cyber-attack on a power grid is a nightmare that keeps intelligence services and security experts awake at night. The threat’s no longer theoretical: Hackers brought down by a grid in Ukraine. The vulnerability they used? As so often with hacking, human stupidity.
The engineered blackout scenario is so scary Ted Koppel, the former “Nightline” host, recently published a book about it.
In “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” Koppel claimed the United States was unprepared for an attack: “If an adversary of this country has as its goal inflicting maximum damage and pain on the largest number of Americans, there may not be a more productive target than one of our electric power grids.”
Ukraine has an adversary that may be interested in inflicting just such damage and pain: Russia. In November, Ukrainian activists with ties to President Petro Poroshenko’s political party cut off the electricity supply to Russian-held Crimea by blowing up power-transmission towers.
Ukraine got a taste of the same disruption on Dec. 23, when power went out for 1.4 million people in and around Ivano-Frankivsk in western Ukraine.
Almost immediately, the grid holder for the area, Prykarpattya Oblenergo, reported that the outage was caused by “interference by outside persons with the work of telemechanics in the automatic system of control and management of energy equipment.” Five days later the Ukrainian intelligence service reported it had prevented “an attempt by Russian special services to attack the computer networks of Ukraine’s energy complex” — meaning there could have been more outages, but the agency had been able to head them off.
More specifics came from the Bratislava-based cyber-security firm ESET. The firm essentially tied the Ivano-Frankivsk outage to a known piece of malware, the BlackEnergy trojan. In 2014, the US government’s Industrial Control Systems Cyber Emergency Response Team discovered a variant of BlackEnergy that could be used to compromise industrial-control systems, such as those running power grids.
The trojan is modular, meaning it can carry different payloads. In the case of the Ukrainian grid-hacking, these included a component that stops certain processes in the grid-control systems.
At the same time it opens a backdoor into the grid-control systems that could provide hackers with remote access.
ESET wrote: “We can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage in the Ivano-Frankivsk region.”
BlackEnergy is probably a Russian-made weapon. CERT-UA, the Ukrainian cybercrime rapid response team, recently published a post describing a BlackEnergy attack on some Ukrainian media. The names of some of the files planted on infected computers by the virus — ololo.exe and trololo.exe — are references to Russian Internet memes. ESET researcher Anton Cherepanov has pointed out other such clues.
That this weapon has been honed to turn out the lights for large portions of a country is bad news. If it can be used in Ukraine, it can be employed anywhere. That includes the United States, where the Islamic State is reportedly already trying to hack the power grid, but failing due to a lack of the necessary technology.
If the technology capable of bringing down power grids exists, it can leak or be intentionally leaked to anyone who might need it.
Power-grid computer systems can’t be taken off the Internet because the grids depend on software that constantly monitors the balance of electricity demand and supply. That makes them vulnerable by definition: If you have an Internet-connected system, people have access to it, and there’s a potential problem.
BlackEnergy infects computers thanks to a simple trick. The Ukrainian company CyS Centrum described it in a recent blog post. People within targeted companies received an e-mail purportedly containing a presidential decree. Having opened one of the files, the user is prompted to turn on macros because “the file had been created with a newer version of Microsoft Office.” Once that’s done, so is the damage.
Everyone who has ears and a computer has been told hundreds of times not to open mail attachments that arrive without prior warning, even from reliable senders. And yet people all over the world still do it.
Disgruntled employees are another constant source of danger. In Texas in 2009, one allegedly sabotaged the demand-and-supply monitoring system of a power-generation company. He didn’t cause a blackout, but with the proper tools, he could have.
The only way to prevent incidents like the hours-long Ivano-Frankivsk blackout is to train energy-company employees in the safe use of e-mail (or even make it impossible for them to open attachments); make sure ex-employees cannot help criminals gain access to the corporate systems; and promote energy independence to citizens.
The more people have solar batteries, the less damage a blackout can do.