October 20, 2014, iSight partners gave a presentation at the ICS Cyber Security Conference in Atlanta identifying the BlackEnergy malware and what it meant to critical infrastructures including electric utilities. In November and December 2014, DHS held a series of “secret” briefings with US electric utilities on BlackEnergy and the Russian intrusions into US critical infrastructures. Subsequently, there were several news articles in December 2014 about BlackEnergy compromising US electric grid networks. December 23, 2015, the Ukrainian electric grid was hacked leading to a regional blackout. A sample of BlackEnergy malware was found on the compromised Ukrainian SCADA network. January 8, 2016, iSight confirmed the Russian involvement via BlackEnergy in the Ukrainian attack. To date, BlackEnergy has been for data exfiltration not an attack tool. Given that as background, let’s look at some interesting observations from the Ukrainian hack and what it may mean to the US electric grid:
- The Ukrainian outage was limited in regional scope, outage time, and lack of electric equipment damage. Consequently, the event may have been meant to send a message. Why else spend so much time and effort for an incident with such little immediate impact? Consequently, who was the intended target of the message? In November, pro-Ukrainian protesters destroyed pylons carrying electricity from Ukraine to Crimea. Causing a “small” power outage, while demonstrating the ability to have caused significantly more damage, could have served as a warning to Ukraine about damaging infrastructure. Only the electric system in the “Western-friendly” part of the Ukraine lost power even though several electric systems in other regions also were “compromised” but did not lose power (just like Stuxnet, there appears to have been specific targeting for causing damage). The obvious answer would be the pro-Western Ukrainians. However, the answer may not be so simple.
- The timing of the Ukrainian event is suspect. In mid-December 2015, DARPA issued a Broad Area Announcement on cyber security of the electric grid. The first task is development of situational awareness strongly implying (and my database also indicates) that situational awareness of the cyber status of the electric grid is still not adequate. Last year’s hacking demonstration where the National Guard was able to compromise a NERC CIP compliant utility in less than 30 minutes reinforces the viability of attacking US electric utilities without being detected. Since the Russians are already in our systems, was the US the ultimate target of the message?
- Remotely opening (or closing) breakers requires knowledge about the breakers. As mentioned, November 2014, DHS informed US electric utilities BlackEnergy was found and Russians had access to some electric utility networks. Consequently, breaker information may already be exfiltrated from US electric substations to Russia or others. Yet January 6, 2016 Kimberly Mielcarek, a spokeswoman for the E-ISAC stated about the Ukrainian hack: "There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident." Where is the uproar from such an egregious misstatement?
- Opening breakers is step one in creating an Aurora event. The second part is simply reclosing the breakers out-of-phase with the grid. If you can remotely open the breaker, you can remotely close it and cause an Aurora event. The Ukrainian outage could have been so much worse if the attackers had chosen to do so. Considering most US utilities have still not installed Aurora hardware mitigation and DHS has declassified Aurora information, it just may be a matter of time before really bad things happen.
The US electric grid and other critical infrastructures are cyber vulnerable. Many nation-states know that and may already have footholds in our critical infrastructure networks (e.g., Russia, China, and possibly even Iran). The NERC CIPs are not designed to provide actual grid cyber security. Moreover, as the NERC CIP process is public, our enemies are aware of the gaping cyber holes in our electric systems. When will the responsible entities wake up or will it be after they can’t turn their lights on?
Joe Weiss