Alleged Russian cyberweapon knocks out power grids

Written by Brian Santo, contributing writer

How comforted are you by phrases such as “so far” or “probably”? Hackers briefly knocked out power to part of Kiev last December, the second time Ukraine’s power grid was successfully attacked in just the last 18 months. Cybersecurity specialists say that the more recent hack was far more sophisticated than the first, which was considered pretty darn sophisticated at the time.

But don’t worry, hackers haven’t done any lasting damage to any country’s power grid yet, and so far, the power industry around the world has responded pretty darn well to having their systems probed by someone that cybersecurity experts can’t prove is Russia but are pretty well-convinced was Russia.

It may have been sheer coincidence that the more recent attack on Ukraine’s power system was accompanied by a separate cyberattack, this one on Ukrainian armed forces that apparently allowed the hackers to track Ukrainian artillery units, which might be useful if — and we came up with this completely hypothetical situation entirely at random — someone were to invade Ukraine the way the Russians did in 2014 when Russia seized Crimea, which used to be part of Ukraine but isn’t anymore because the Russians seized it. On the other hand, nobody suspected of cyber-warfare has seized Crimea in nearly two years, so don’t worry.

Two cybersecurity firms, ESET and Drago, have been investigating the December hack of the Ukrainian power grid since it happened, and they recently published their conclusions. ESET, founded as an anti-virus company 25 years ago, was among the first to detect the attack, and it named the malware used “Industroyer,” which seems… proportionate. Drago, a year-old cybersecurity firm founded to address attacks on industrial infrastructure, calls the malware “Crash Override,” which sounds like a great name for a cartoon caricature of James Bond, and therefore that much less worrisome, don’t you think? Here’s the report , and here is the Drago blog summarizing the findings in the report.

Anyway, what the hackers who created Crash Override did was create modules specific to exploit electrical systems based on several IEC standard protocols (e.g., IEC 60870-101, IEC 60870-104, IEC 61850). This allowed the hackers to “open circuit breakers on [remote terminal units (RTUs)] and force them into an infinite loop, keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations,” according to the report summary. 

So far, all grid operators have to do, should anyone subsequently find themselves facing Crash Override, is “go back to manual operations to alleviate this issue,” note ESET and Drago. They also suggest some specific countermeasures in their report.

Crash Override is “an extremely concerning capability,” the two companies allowed, but getting hit by it would definitely not be a “‘gloom-and-doom’ type of scenario.”

The two companies say that the attack in Ukraine was probably just a probe — “a proof of concept” — and that even if the hackers tried again, the most they could probably do is cause outages that last a few days instead of just a few hours.

By the way, Drago and ESET said Crash Override is extensible, “and with a small amount of tailoring, such as the inclusion of a DNP3 protocol stack, would also be effective in the North American grid.”

Anyone remember that one time in 2011 when a few glitches in the grid in Arizona took down power throughout vast swaths of the Southwest, arcing all the way into California, essentially returning the whole area to a pre-industrial existence that most people in the affected areas were completely unprepared to deal with? That was an accident . The power outage only lasted about 11 hours, and damages were estimated to be only about $100 million in San Diego alone. What are the odds that hackers might try to deliberately replicate those conditions someplace? Other than the hackers who just did that in Ukraine, I mean? Twice. Twice successfully . So far.