Semiwiki on LinkedIn Semiwiki on Facebook Semiwiki on Twitter Register / Log in 
Array
(
    [content] => 
    [params] => Array
        (
            [0] => /forum/threads/ukraine-power-grid-hack-first-confirmed-example-in-the-wild.7419/
        )

    [addOns] => Array
        (
            [DL6/MLTP] => 13
            [Hampel/TimeZoneDebug] => 1000070
            [SV/ChangePostDate] => 2010200
            [SemiWiki/Newsletter] => 1000010
            [SemiWiki/WPMenu] => 1000010
            [SemiWiki/XPressExtend] => 1000010
            [ThemeHouse/XLink] => 1000970
            [ThemeHouse/XPress] => 1010570
            [XF] => 2021770
            [XFI] => 1050270
        )

    [wordpress] => /var/www/html
)

Ukraine power grid hack first confirmed example in the wild

B

Bernard Murphy

Moderator
This happened in December last year. It was a very sophisticated and carefully planned attack:


  • Started with spear-phishing - targeted in this case specifically at power grid operators. This attack started with an email with a Word attachment which when opened asked the recipient to enable macros. That macro launched malware which got into corporate networks but not the SCADA networks, which are separated by a firewall.
  • The malware mapped networks and harvested user credentials used to get access to the SCADA VPNs. When they were able to get through, they launched firmware rewrites. They also installed malware to kill the operator stations at the time of attack.
  • That said, once they realized what was happening, operators were able to restore power relatively quickly because their systems have manual circuit breaker overrides.

In case you're thinking the US must have much better systems and could protect better, think again. Security experts say that in several ways the Ukrainian grid systems are more secure than current American systems. And many US power control systems do not have manual backup support, meaning the only way to recover power is to reprogram or replace the controllers. It sounds like Ukraine grid operators are still working on replacing bricked controllers.

Couple of takeaways for me:
  • All the automated security in the world can't protect against phishing which depends on human error and policies that allow attachments and links which can hide malware.
  • Think the IoT and AI are going to put us all out of work? Think again. Automation is good at handling in-bounds behavior. As long as there are security threats, we'll always need manual overrides and out-of-the-box thinking

Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid | WIRED
 
For a while I was hanging out with the Smart Grid types in the US. On the plus side, there is a lot of dialog in place about preventing and responding to issues. (Object lesson for public speakers: never walk into any conference on security and say, "Our stuff is absolutely secure." I watched one of the embedded operating system vendors I've known a long time get laughed out of the room.)

The smart grid community worries a lot about blended attacks, where someone gains physical access to plant the malware or a precursor. People that get phished and reuse their login info on critical systems deserve what they get.

This is also one reason most of the smart meters in the US are on a private ZigBee profile. Not unhackable, but tougher than Wi-Fi, and they spend a lot of time with the pen testers to make sure of that.
 
And the more interesting question, after something like this happens here for the first time, will we hear about it?

The incident at our Drone command comes to mind. I guess most of their PC's in the secure facility were infected with a USB drive malware/virus. Lord knows what that cost to fix. But I think they are saying that their mission was not compromised by this.
 
You must log in or register to reply here.
Back
Top