Christmas Blackout in the Ukraine

In March 2015, at our SPARKS Stakeholder workshop, the SPARKS team demonstrated how attackers could use a combination of social engineering and custom malware to disrupt energy generation and distribution. Coordinated across three different geographical locations, the attack began with a phishing email to an administrator, continued with lateral movement from that administrative environment into the SCADA environment, and ended with the disruption of power generation from a photovoltaic environment by changing control settings for the inverter. It was a sobering demonstration for many of the stakeholders who attended the workshop, a graphic demonstration of the reality of threats that bypass traditional IT defenses, that leapfrog across air-gaps and that hide their damage behind falsified system data.


Here’s a video of the demonstration, introduced by Dr. Kieran McLaughlin.)

At the end of December 2015, this scenario was played out in the Ukraine, in an attack that disrupted electric power for a substantial proportion of the population. The attackers used phishing to launch the attack, then used a custom malware artifact to completely erase the drives of the compromised machines in order to disrupt electrical service for as long as possible. These kinds of targeted attacks have been waged against many other environments, including the attack in December 2014 on a German steel mill. And the scenario is one that has been anticipated in the electric industry for a number of years, including as one of the failure scenarios documented by NESCOR. But the attack against the Ukraine, fully described in a recent article by Wired, was the first significant disruption of electric power that was clearly the result of a cyberattack.

In our SPARKS mid-project review with the European Commission a few weeks ago, we cited this attack against Ukraine as important validation of the work we are doing in SPARKS. One of mini-projects is focused precisely on detecting that manipulation of SCADA protocols used by the attackers. Another of the mini-projects is focused on using analytics to rapidly detect malware that has managed to slip into the environment. We are working on ways to establish systems that are resilient in the face of attacks, on understanding the social and economic impacts of cyberattacks, and on risk management approaches that provide better understanding and mitigation of cyber threats corresponding to scenarios exactly like the one used in the Ukraine.  At our next SPARKS Stakeholder Workshop in April of this year, we’ll be demonstrating the application of these capabilities to rapid detection of and response to targeted attacks.

The SPARKS project is not alone in working on these areas.  We’re working closely with other projects such as SEGRID that are also contributing to a safer and more resilient Smart Grid, with standards organizations that are addressing these topics, with academic research and with industry, national and international initiatives for securing critical infrastructure. As the Ukraine cyberattack shows, the threat is serious and significant. Our response to the threat needs to be serious and significant as well.