Will Ukraine Be Hit by Yet Another Holiday Power-Grid Hack?

Han maomin/Shutterstock.com

The country has been attacked the past two years in December. A new strike could have major implications for cybersecurity in the U.S.

The holiday season has not been a joyful time with respect to Ukraine’s power grid. Days before Christmas in 2015, remote hackers wrested control from Ukrainian grid operators, and, by digitally commandeering substations, shut off power for 225,000 customers for several hours. Then, in mid-December of last year, hackers developed a malicious code that, without any real-time human support, disrupted a Kiev transmission station and caused a substantial blackout that lasted roughly an hour in the capital—in the first fully automated grid attack ever seen.

With the holidays approaching again, the eyes of security experts and diplomats are on the energy companies in Ukraine and on the teams, believed to be based in Russia, that are responsible for the attacks. Researchers have linked these groups to the infiltration of energy companies in the United States and Europe. Experts are watching this month with concerns over safety in Ukraine and over the significant implications such an attack would have worldwide, including in the U.S.

Some evidence has already suggested that a new attack could be in the works. Robert Lee, the CEO and founder of the industrial-cybersecurity firm Dragos and a leader in analyzing both of the Ukraine grid attacks, says that in recent weeks he has observed an unusual spike in activity in Ukraine by the same group of developers who engineered the malware used in the 2016 attack. From last year’s attack until mid-November, Dragos had registered very little activity in Ukraine by the group, Lee says. “In our assessment, it would be completely reasonable to execute an attack this month,” he warns.

It’s possible that this spike in activity could be reconnaissance, preparation for a later operation, or simply an intention to create fear of a forthcoming hack. Michael Assante is the director of industrials and infrastructure at the cybersecurity-focused SANS Institute and a lead investigator of the 2015 attack. He says that, given the continuous and sustained access campaigns in the Ukraine—which have occurred against the backdrop of the clash in Eastern Ukraine that resulted from Russia’s annexation of Crimea, in 2014—it is unclear if an attack is being readied. “The attackers could launch an attack if they believed an attack served a purpose and felt that the risk of being foiled was low enough to proceed,” he says.

Now American officials are on the lookout for any features of a 2017 attack in Ukraine that could spell trouble if a nation-state were to focus its efforts on the high-risk target of the United States—perhaps in case of a war, when the norm against attacking infrastructure slackens.

Indeed, past attacks on Ukraine have informed officials’ understanding of the national-security threats to the U.S. For more than a decade leading up to the 2015 Ukraine attack, officials and diplomats discussed the possibility of an attack on infrastructure, according to Chris Painter, who led the State Department’s international cyberpolicy and diplomacy efforts from 2011 until this fall. “This is not a new thing on our radar, but we’ve actually seen it coming of age and happening, which has raised the alarm bells,” he says, characterizing such an attack on the United States as a low-probability but high-impact event. “We are in a new era where we will see more of these. It has gone from theoretical to more doable and practical.”

As Herb Lin, a cybersecurity scholar at Stanford University, points out, an attack in the United States of limited duration and scope, such as the 2015 and 2016 Ukranian grid attacks, would be “annoying but tolerable,” akin to a typical, localized blackout. But watching the Ukrainian grid is of particular interest in the U.S. because past attacks may well have been for purposes of signaling, according to Chris Inglis, who served as the deputy director of the National-Security Agency from 2006 to 2014. These attacks were “done visibly and in a venue where the United States couldn’t react,” he says.

Indeed, Lee observed that a number of the capabilities that the developers behind the 2016 attack had engineered into malware were not ultimately deployed in the attack. “It looked more like a proof of concept or a test run than a final outcome,” he says. It was as if this grid attack on a non-nato country was meant to show off capabilities that would frighten or deter other powers—which a defining analysis by the journalist Andy Greenberg in Wired suggests is an element of the campaign of cyberassaults on Ukraine.

A cyberattack on the U.S. grid would almost certainly require the backing and resources of a nation-state. Researchers have connected the hackers responsible to the Russian government, though Russia has denied allegations of hacking in Ukraine. And Lee has observed that the attackers function as a complex organization with multiple teams and specialties, like a company or an intelligence agency—with the 2015 attackers working as an operations team and the 2016 attackers as a development team. Russia has proved its willingness to use cybertools to meddle in the United States this year. Further, U.S. government officials expect more sophisticated and widespread cyberoperations from Russia, especially around the 2018 midterm elections.

“What worries me most about Russia is not its technology, but its audacity and their willingness to cross the line,” Inglis says. “They have proved themselves willing to do things that cross every definition of red line.”

Still, the capabilities deployed against Ukraine only mean so much for the United States. The U.S. power grid belongs to a diverse set of mostly private-sector owners, and much of it is heavily regulated. It would be more difficult to attack a grid of this complexity. At the same time, the U.S. grid is more digitally dependent. Where Ukraine was able to restore power within hours by reverting to analog operations, a heavy reliance on automation in the United States limits this recovery option. “I’d be concerned if, on the receiving side, we make the mistake of digitizing too much,” Inglis says. “The benefit of a manual backup showed itself [in Ukraine] as a feature as opposed to a piece of legacy. Right now, in the United States, there are some places with manual capabilities and others where there aren’t.”

Experts agree that power companies are making strides toward increasing the defensibility and readiness of the U.S. grid, but there is a ways to go. “We have certainly learned that current defenses should not be considered adequate when facing attackers who are experienced and equipped to target power systems,” wrote Assante, who has also worked in the leadership of American Electric Power and the North American Electric Reliability Corporation.

“We have to step up our game,” Painter ays. “Clearly there are malicious actors that want to mess with these systems, and I can’t say that we’ve done enough or that industry has done enough.”

Yet, a well-financed, imaginative adversary with the backing of a nation-state could seemingly could come up with any number of attacks on American systems (just as the United States can). For example, one high-value target in the United States would be large transformers, which enable the bulk of transmission of electricity. “They weigh hundreds of tons, cost millions of dollars, take months to build,” Lin says. A cyberattack on such transformers could result in power losses lasting for weeks or months if backup transformers were not in place—and they often aren’t. (Indeed, transformers are subject to threats outside the digital realm, and were the target of a California sniper attack in 2013.)

While the technical defense of each component of a power grid presents numerous challenges, defending a grid does not always come down to patching vulnerabilities. In the 2015 Ukraine attack, for instance, hackers did not engineer technically sophisticated tools. Instead, they used phishing emails and learned insider knowledge, executing legitimate operations but doing so to inflict damage. “This is less a technical issue—though there are serious technical challenges to be solved—than a people issue about cognizance, responsibility, and accountability,” Inglis says.

As they look to Ukraine this month, experts say it would be particularly concerning to see an attack affecting a larger area, spreading on autopilot, or lasting for more than a day. Of course, any potential second-order effects, such as loss of life, would raise the stakes—as would a domino effect in which a power outage also disrupted telecommunication or air-traffic systems.

And in the United States, officials are learning to live with uncertainty about the grid. “It is a fact of life that we could lose power for a couple of hours due to a foreign power,” Lee says. “We don’t have to panic about it, but we do need to come to terms with this reality while working to make it harder to achieve.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.