Responding to another Ukrainian power attack

Richard Piggin | 26 Jan 2017 | Comments

Almost exactly one year after the attack on three Ukrainian distribution substations, another campaign has targeted the country’s power transmission system. Ukrainian officials have attributed the attack to Russian perpetrators once again. Richard Piggin shares his thoughts on how this represents an escalation of cyber attack sophistication against a nation’s critical national infrastructure, as well as how the impact of such attacks can be mitigated in the future.

The most recent campaign is reported to have commenced on 6 December, continuing through to 20 December. Vsevolod Kovalchuk, a director at the Ukrainian national energy company Ukrenergo, told Reuters that the 200 megawatt interruption was equivalent to approximately a fifth of Kiev's night time energy consumption, and that the scale of the interruption was very rare.

The automation was shut down in the Pivnichna power transmission substation located north of Kiev. The remote terminal units (RTUs) opened circuit breakers, causing a power outage that lasted for 75 minutes. Power was restored manually, with full restoration early the following morning. Power loss was reported in northern Kiev and on the eastern bank of the Dnieper River and the surrounding area.

The Ukrenergo director described ‘external influences’ effecting workstations and SCADA (supervisory control and data acquisition) servers, and anomalies with transmission network data. Although investigations are ongoing, in the meantime researchers have confirmed significant similarities to the power outage a year earlier. This includes phishing attacks, with malware embedded in Microsoft document macros, and traces of BlackEnergy 3 malware used in the attacks targeting Ukraine Government organisations.

Oleksii Yasnskiy of ISSP labs, distinguished the more recent attacks, using significant obfuscation: “Being more complex and better organised.”

Marina Krotofil, a security researcher at Honeywell Industrial Cyber Security Lab contrasted the previous damaging attack: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”

Ukrainian media and security researchers have also reported further cyber-attacks including distributed denial of service (DDoS) attacks on the Defence Ministry, government sites, financial sector, railways, ports and electrical power transmission.

The electricity sector in particular and governments as a whole will be disturbed with the escalation illustrated by further attacks. Particularly the attack on a power transmission substation, with the potential for much greater impact than previous attacks on distribution sub-stations. Whether or not this is perceived as a demonstration or testing of capability, it raises concerns. Given the motivation to attack critical infrastructure with apparent impunity and in contravention of international law, the intent highlights the need for effective cyber security and well developed incident response planning.  

Lessons will be drawn from both Ukraine attacks, including the methodologies utilised by the perpetrators and the opportunities to disrupt different stages of the attack. It is highly likely the investigation will indicate perpetrator presence on target networks and use of remote access to disrupt the substation automation. The capability demonstrated emphasises the importance of understanding normal network activity and recognising abnormalities. Both attacks also underline the need for mature incident response plans, which are regularly updated, tested and reviewed.       

Beyond the quick wins a system assessment will identify, there is much potentially applicable guidance that could be used to assist in responding to these developments and improve resilience.  

IEC 62443, the international standard specifically developed for industrial cyber security is one approach that has grown in substance and application. However, embarking on an implementation is a significant undertaking. This multipart standard has been revised and further developments will incorporate many distinct aspects of securing industrial systems that are applicable to critical infrastructure. High hazard industries will benefit from the approach to manage safety requirements alongside security in the forthcoming related specification (IEC TS 63069).  However, simply seeking to claim compliance with IEC 62443 would be an inappropriate response to securing critical systems.

Instead, asset owners, equipment vendors and system integrators should choose pertinent guidance to support their security strategy, and formulate a cyber security plan for implementation. Atkins recommends a lifecycle approach to engineering cyber security, underpinned by governance and a suitable security management system. An organisational cyber security capability assessment can be used to identify and prioritise areas for improvement to be addressed in the cyber security plan. The organisational assessments can be supplemented with technical assessments as appropriate. The applicable guidance can then be used to direct implementation depending on the entity’s role. An established cyber security framework, such as the NIST Cyber Security Framework (CSF), can draw together the application of good practice principles and assist organisations in the management of cyber risk in critical infrastructure.

Addressing cyber risk can be a daunting and confusing prospect for many organisations, and often appears intangible. An effective approach requires the organisation to understand their business risk, and target resources to those areas where they will have the most effect. There is no magic bullet, or technology solution that will reduce risk.  Frequently, in our experience, many cyber security challenges revolve around people, their awareness, communication, organisational structures and accountability. Senior management support is essential to realise meaningful improvements over the longer term.