Two cyber security firms yesterday released their analysis of a power outage in the Ukrainian capital Kiev in 2016. This was caused by a cyber attack using a piece of malware, which is capable of many more attacks due to its versatility, including in other countries. It seems that Kiev was just a test of the malware. The malware contains software code that takes fully automatic actions to disable electrical substations. To begin with, the software maps where critical components are located and how they work in practice. Following that method, the malware is able to recognise certain switches and open them, thus cutting off the power supply. At the same time, it erases the software for those switches so that an operator can no longer close them remotely. So that operator has to physically come to the plant, which takes extra time.
Two cyber security firms recently released their analysis of a power cut in the Ukrainian capital Kiev in 2016. That was caused by a cyber attack with a piece of malware, which is capable of many more attacks due to its versatility, including in other countries.
It seems, Kiev was just a test to try out the malware. How the malware got onto the Ukrainian electricity company's systems is not known. It is quite possible that phishing emails were used for this purpose, ESET believes. These are fake messages with a link that, once clicked, causes a piece of malicious software to be sent to the recipient and install itself on their PC.
The researchers from security firm ESET have discovered the new virus, which allows remote parts of the power grid to take over operations.
n.l. With the so-called "Industroyer", hackers can remotely determine when to shut down a management system in high-voltage grids.
Industroyer is easily adaptable malware, according to ESET, it can be targeted for attacks on different types of industrial systems. These include oil plants, transport networks and locks. etc. The version of the virus, date the security company found, is designed to disable power grids and such that it also blocks the remote reactivation of circuit breakers. According to ESET, with a few minimal modifications, the Netherlands could also potentially fall victim to Industroyer."
Industroyer/Crash Override has four modules on board to carry out attacks. Each module communicates with devices in the power grid via a different protocol. Depending on which protocols are used in a particular country, the malware deploys a corresponding module. This also indicates that the malware was written specifically to be deployed in different countries. The power outage in Ukraine was probably just a test, and power grid operators in other countries would do well to check the security of their control and monitoring systems.
See also the article in "The Engineer" Dangerous malware takes down power grid, 13 June 2017 and the article in HCCNET's newsletter ESET discovers virus that takes down power grids,
According to Wired the malware requires far fewer people to deploy than previous cyber attacks. That means this type of attack is more scalable. 'Whereas in 2015 the hackers needed 20 people to attack three electricity companies, now those same 20 people could attack as many as 15 sites at once,' Dragos' Robert M. Lee told Wired.
The cyber attack with the malware resembles the earlier Stuxnet, the computer worm that damaged a number of ultracentrifuges in Iran in 2010, which the country used to enrich uranium (read: 'Computer worm Stuxnet cripples physical processes at factories'). Then a shock went through the computer world.
For the first time, many people realised, it was possible to use software to wreak havoc on the processes in a factory (also read: 'Hackers threaten chemical plant' and 'Insecure Internet of Things calls for action').
According to analysts, Industroyer/Crash Override is only the second piece of malicious software specifically designed to cripple physical industrial plants and take out power grids.
Opening image: a power grid distribution station, not in Ukraine. Photo Vattenfall and Illustration is by ESET.
