On December 18 of last year, an electrical substation near Kiev shut down without warning, sending the northern parts of Ukraine’s capital city into a sudden hour-long blackout. About a fifth of the total amount of electricity Kiev uses was suddenly unavailable. “That is a lot. This kind of blackout is very, very rare,” said Vsevolod Kovalchuk, acting chief director of the state-run energy company Ukrenergo, to Reuters.
It wasn’t a problem with Ukraine’s electrical infrastructure. Instead, Kovalchuk — along with many others — suspected that the energy company had been the victim of a cyberattack. Ukrenergo’s IT specialists had discovered a series of transmissions that weren’t supposed to be there, leading them to believe they had been hacked. (During this same time period, Ukraine’s Treasury, Finance, and Defense had all suffered from attacks that disrupted service.) But it was unknown what virus the attackers had used, and why it was so effective at shutting down power to Kiev.
When people talk about cyberattacks, power grids come up frequently: Shut down power to a region, and you can cause mass chaos from afar. Now two security firms, Slovakia’s ESET and the U.S.-based Dragos, have released reports detailing “Industroyer,” (also known as “Crash Override”) a very nasty virus seemingly designed with one purpose — to wreak havoc on industrial equipment, specifically the computers that control electrical substations and circuit breakers. Once the virus is in control, it can do anything from turning the power off, to create rolling blackouts, to inflicting physical damage to the equipment.
It’s able to do this because the protocols controlling substations and circuit breakers were designed decades ago, when it was assumed that industrial networks would remain internal. They are also largely standardized across the world. Engineers back then didn’t consider a world where industrial technology would be accessible to the outside world. “Most of the systems have fairly old technology that’s hard to strengthen against those type of attacks,” says Mike Fumai, president and COO of AppGuard.
Industroyer is a sophisticated piece of software. “It’s complex in that it has multiple stages of attack,” says Fumai. “It has multiple levels of permissions, which it needs to be effective.” Industroyer first infiltrates an energy company’s network and waits to see if the intrusion was detected. If it wasn’t, it then moves on to the next step, infecting computers within the network. Along the way, it builds several backdoors for itself, meaning even if one intrusion point is found, it can still slip in and continue to cause damage. It also has the ability to completely wipe all traces of itself if it is detected.
What’s more, unlike other major cyberattacks against civil infrastructure, it doesn’t require the monitoring and management of a human operator. “The code itself will do the damage,” says Fumai. “In that case, the initial Ukraine attack, that mission was to shut down power grids for a certain amount of time.”
Which leads many to believe that Kiev’s brief blackout in December was more of a test run of Industroyer — a proof of concept, if you will. Because protocols are so standardized, it could easily be adapted for an attack on any part of the world that has civil infrastructure connected to the internet. The fact that Ukraine was targeted, combined with Industroyer’s high level of technical accomplishment, has led many to believe that this may be the work of state-sponsored hacker groups, likely out of Russia. (Ukraine has been under near-constant cyberattacks since Russia’s annexation of Crimea two years ago.)
There isn’t much electrical utilities can do to protect themselves. Careful monitoring of every part of the system can detect abnormalities — a sudden spike or drop in power could be the sign of an attack beginning, which could get an IT team enough time to find and flush the virus before it causes more damage. “But the virus does have the ability to stay stealthy,” says Fumai, “so you may not be able to stop it before it causes harm.”
There’s also the idea that utilities should build extremely advanced VPN “enclaves” around their entire network, masking their public IP addresses (one of the more common ways hackers find their way into a system). Workers are then issued physical devices that only allow authorized users access to the network. But that obviously comes with its own logistical (and budgetary) constraints.
Before panic rises too high, it should be noted that even if this virus was unleashed on a power grid, power would likely be restored in a matter of hours, or perhaps a day — not weeks or months. As security firm Dragos notes, “The electric grid operators train regularly to restore power for similar-sized events such as weather storms.” Still, the ability for unknown actors to cause even brief interruptions to the electrical grid should be enough to give anyone pause.
Industroyer/Crash Override is now the second known virus in the world designed to attack industrial equipment. The first, Stuxnet, was a computer worm generally believed to have been developed in a joint effort by Israelis and Americans to severely damage Iran’s nuclear-weapons program and deployed in 2010.