Ukraine suffered a cyberattack on its electric grid that shut down power in Kiev, the nation's capital, for an hour in December 2016. However, the attack was much deeper than just the grid. It was a systemic attack hitting key governmental and infrastructure points across the country.
The attack ended up being very similar to the attack that struck the Ukrainian power grid in December 2015.
But unlike the 2015 cyberattack that cut out 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the electrical transmission-level substation Pivnichna, a remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.
"In the Ukraine there was a huge wave of attacks going on," said Marina Krotofil, lead security researcher at the Honeywell Industrial Cybersecurity Lab and an investigator on the utility attack during an interview with ISSSource. "None of the attacks were targeted at maximum damage. Interaction, yes. Sabotage, yes. But no maximum damage. Attackers shut down the RTUs which controlled circuit breakers. So, basically the RTUs were sent offline, there was a command that said go offline and shut down. If the RTUs are not controlling the circuit breakers they would fail open and this is how the substation disconnected from the power grid. (The attackers) could have done so much more, but they did not. Very quickly the RTUs were put online and everything was reconstructed and within an hour everything was working."
Krotofil said they have theories on who did this and why they did it, "But we cannot talk about it right now."
"As you can see from the entire Ukraine, the power utility was just part of the picture. The entire Ukraine was attacked. It seems within this specific campaign in December there was no intention to cause maximum damage anywhere. It doesn't matter what was attacked, railway, or power utility or governmental organization there was no major damage," she said. "I am not claiming the attackers won't do more damage in the future."
Comparing the two attacks
By doing a comparison to last year, they were able to make out a relationship between the two attacks. "It was unique in the sense the style was very recognizable from other attacks from last year. You go to the host, you look for the same looks and you find them. You can clearly recognize the style," Krotofil said.
Then she added an ominous note.
"The attack group clearly became more sophisticated and more organized," Krotofil said. "The level of sophistication and preparedness and organization was significantly higher from last year."
Sometimes it is easy to attack areas not considered secure because of a lack of technology on site, however this was not the case at the Pivnichna substation.
"This was one of the most highly automated substations in Ukraine," Krotofil said. "It was not clear if it was selected on purpose or not because there were a lot of YouTube videos on the substation. There was a lot of publicity because this was one of the substations that was just upgraded with all of the latest automation technology. While it ran some old systems, it was highly automated and there was a lot of public information on it."
Was Ukraine attack preventable?
With an attack on an electric utility such as the one in Kiev, Ukraine, the question begs to be asked: What could have been done to prevent the incident from happening?
"They could not have avoided this attack because it is very targeted," Krotofil said. "The attacker wanted to get in."
Any dedicated attacker that is well financed and has the time and energy to focus on a specific target will most likely succeed. But it doesn't have to be that way. What is at issue is manufacturers are just at the beginning stages of implementing security programs at their facility.
"Now the entire world is going from old infrastructure to updating switches, to perimeter security which are the first steps to be done to start security. Many companies are in the opening stages, but there are industries like oil and gas that are more advanced. It is a very slow process," Krotofil said.
In this attack, the intruder put all their efforts in getting through the perimeter.
"Once the intruder is in the perimeter, they will try to blend in as soon as possible," she said. "They will obtain some legitimate credentials and they will start acting using the legitimate credentials. Once they blend in, no network monitoring will show you because you have legitimate credentials so then you have to start doing behavioral monitoring.
Specifically, in this case, the intruder was determined to get in, no organization could prevent this type of attack. Only a few very prepared organizations could prevent this type of attack."