By Rich Heidorn Jr.
Sometime last spring, employees of three Ukrainian electric distribution companies opened Microsoft Office files infected with BlackEnergy 3 malware. It was the beginning of a six-month campaign of reconnaissance and testing that culminated Dec. 23 with an outage that knocked out power to 225,000 customers for several hours.
The story of the cyberattack — the first publicly acknowledged assault to cause power outages — was spelled out in riveting detail in a report released last week by NERC’s Electricity Information Sharing and Analysis Center.
The Security Service of Ukraine blamed the attack on the Russian government. But the report, the product of NERC’s E-ISAC and the SANS Institute, focused on the methods of the attack and not on identifying the attackers.
Based on a summary of publicly available information and analysis performed by the SANS Industrial Control Systems unit, the report contains recommendations for defending grid operations.
The report’s authors express also grudging respect for the expertise of the hackers. “The strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long‐term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” the report said.
Spear Phishing
The report estimates that the blackouts came more than six months after the initial penetration of the companies, when employees in the administrative or information technology networks of the electric companies opened Microsoft Excel and Word documents from spear phishing emails.
The employees enabled macros in the files that allowed the installation of BlackEnergy 3 malware on the companies’ systems, providing access to command and control Internet Protocol addresses.
After gaining a foothold in the companies’ IT networks, the hackers were able to obtain credentials that gave them access through virtual private networks (VPNs) to the industrial control systems (ICSs). The report said the hackers demonstrated expertise in network-connected infrastructure and in operating the ICSs.
They used “rogue” client software and a “phantom” mouse to highjack the supervisory control and data acquisition (SCADA) systems remotely, taking control of operator workstations and locking the operators out of their systems.
Kyivoblenergo, a regional electricity distributor in Ukraine, was one of the three “oblenergos” (energy companies) attacked. Beginning about 3:35 p.m. on Dec. 23, the hackers took remote control of the company’s SCADA distribution management system, disconnecting seven of its 110-kV substations and 23 35-kV substations for three hours and cutting off power to about 80,000 customers.
Similar attacks on the other two companies, executed within minutes of each other, blacked out an additional 145,000 customers.
Burning the Bridges
KillDisk software was used to erase the master boot record of the companies’ systems and delete some logs, preventing the companies from using the ICSs to restore the system. The attackers also uploaded malicious firmware to serial‐to‐Ethernet gateway devices, ensuring that even if the operator workstations were recovered, remote commands could not be used to bring the substations back online.
“This means that the attacker ‘burned the bridges’ behind them by destroying equipment and wiping devices to prevent automated recovery of the system,” the report said.
The attackers also generated thousands of automated phone calls to the call center of one of the companies — a version of a denial-of-service attack — to hamper communications with customers.
With their computer systems compromised, field staff went to substations and manually reclosed breakers, restoring all of the customers to service in three to six hours.
“It is important to note that there are risks operating your system without the benefit of an automated dispatch control center, and utilities that are more reliant on automation may not be able to restore large portions of their system this way,” said Michael Assante, SANS Institute director of ICSs and one of the report’s authors, in a January blog post. “In many ways, the Ukrainian operators should be commended for their diligence and restoration efforts.”
Missed Opportunities
While the report’s authors found the companies’ restoration admirable, they had plenty to criticize, saying the utilities missed opportunities to detect the intrusion during the months of reconnaissance and testing that preceded the attack.
According to the report, the companies’ firewalls allowed the adversaries to exercise remote control, and the VPNs from their business networks into the ICSs appeared to lack basic two‐factor authentication; think cash machines, which require both a bank card and a personal identification number.
The companies also appeared to lack the capability to continually monitor their ICS networks for increased traffic that could indicate rogue firmware updates, the report said. “In a prolonged attack campaign, there are likely numerous opportunities to detect and defend the targeted system.”
Why the three oblenergos were targeted is unclear, but John Hultquist, director of cyberespionage analysis for computer security firm iSight Partners, said he believes the attacks were the work of hackers aligned with the Russian government. He told The Washington Post that there are links between the malware used in the attacks and a cyberespionage campaign against NATO and Western European governments by a group of Russian hackers iSight named “SandWorm.”
iSight said it has documented SandWorm infiltrations of Ukrainian government computer systems and telecommunications and energy companies since 2014, when Russia annexed Crimea in support of separatists in eastern Ukraine.
Recommendations
The report concludes with a number of recommendations, including eliminating unnecessary VPN pathways and developing “cyber blackstart” capabilities. But it warns that “it is likely that the adversary will modify attack approaches in follow‐on campaigns and these mitigation strategies may not be sufficient.”
Some analysts were initially skeptical of the Ukrainian government’s claims that the outages were the result of cyberattacks. “ICS organizations frequently have reliability issues and incorrectly blame cyber mechanisms such as malware found on the network that is unrelated to the outage,” the report said.
In this case, however, the report’s authors had no doubt about the credibility of the government’s and utilities’ claims. It also ranked the technical information available a 4 on a scale of 5, citing the availability of malware samples, observable ICS impacts, technical indicators and firsthand interviews.
The attack marks “the first time the world has seen this type of attack against [operational technology] systems in a nation’s critical infrastructure,” the report said. “This is an escalation from past destructive attacks that impacted general‐purpose computers and servers (e.g., Saudi Aramco, RasGas, Sands Casino and Sony Pictures).”
The report said there was nothing about Ukraine’s infrastructure that made it uniquely vulnerable.
“The impact of a similar attack may be different in other nations, but the attack methodology, tactics, techniques and procedures observed are employable in infrastructures around the world.”
Transmission projects expected to be in service by 2020 are adequate to leave the boundaries of the four zones intact for the capacity commitment period of 2020/21, ISO-NE Director of Transmission Services and Strategies Al McBride told the Planning Advisory Committee last Tuesday. The zones are also unaffected by resource retirements and additions already accounted for.
Among the report’s highlights: More than 4,200 MW of the region’s conventional nuclear, coal- and oil-fired generating capacity has retired recently or is scheduled to retire soon; about a third of the 13,000 MW of proposed generation projects are wind resources; and pipeline constraints and few delivery points for LNG will continue to pose challenges for fuel supply.
If Dominion Energy’s three-reactor Millstone Power Station were to close, more than 1,000 jobs would be lost and carbon emissions in New England would increase by 27%, officials told a legislative panel.
Commonwealth Edison will begin using data collected by smart meters to calculate greenhouse-gas reductions that can be linked to initiatives to reduce peak demand.
State regulators on March 21 agreed to postpone until this week whether to reconsider their rejection of international investors’ $4.9 billion bid for Cleco. The Public Service Commission is considering whether to change last month’s order that nixed the acquisition of the utility.
State officials, concerned about the possibility of leaks from pipelines that run under Lake Michigan, have asked Enbridge to provide specific condition information on Line 5, a pair of pipelines that cross the Straits of Mackinac.
A state district judge has struck down a water-discharge permit for a southeastern coal mine, saying officials failed to fully consider the effects of pollutants on several nearby creeks.
After 61 years of providing electricity to the Tennessee Valley, the Colbert Fossil Plant has been disconnected from the grid.
Environmental groups want the Nuclear Regulatory Commission to revoke licenses for two new reactors at the South Texas Project, claiming the project is controlled by a foreign owner in violation of the Atomic Energy Act.
Critics of the state’s process for selecting sites for renewable energy projects are opposing proposed legislation designed to give regional planning commissions greater say in where solar and wind power projects are located.
Electricity rates in the state are among the highest in the Midwest, but residents pay less than customers in surrounding states because they use less power on than average, according to a recent study by the Public Service Commission.
Duke has contracted with Carbon Cycle Energy, which will build and own a plant that will generate enough electricity from chicken and swine waste to power about 10,000 homes a year.
Black Hills Energy has started construction on a 144-mile, $54 million transmission line that will run from northeast Wyoming to Rapid City, S.D.
The operator of the Atlantic Coast Pipeline, a $5 billion pipeline that will deliver natural gas from Appalachian shale fields to Virginia and North Carolina, has sold 96% of the future pipeline’s capacity and surveyed 90% of the 550-mile route, according to an update from the company.
Lincoln Electric System, the Nebraska public utility serving the state capital region, approved a six-year $453 million capital budget to replace and upgrade infrastructure.
Two Hutchinson, Kan., residents were arrested in separate incidents for threatening Westar Energy employees who swapped out their old electric meters.
Duke Energy Renewables has purchased a proposed 20-MW solar project in California from EDF Renewable Energy. The project, to be built in San Bernardino County near Barstow, will be called the Longboat Solar Power Project.
Dynegy’s coal-fired Wood River plant in Illinois will be shuttered in June after a MISO study concluded it was no longer needed to ensure reliability in the region.
Power DC, a coalition formed against the deal, said, “We are profoundly disappointed and saddened that the D.C. Public Service Commission has ignored the clear opposition to the proposed Exelon-Pepco merger voiced by the district’s elected officials, community and business leaders, and residents.
The pipeline, which is intended to deliver shale gas from Pennsylvania into the New York and New England markets, is now projected to begin service in the second half of 2017. The developers had proposed operation of the 124-mile pipeline in the fourth quarter of this year.
