Analysis of the Cyber Attack on the Ukrainian Power Grid - Defense Use Case

On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service  outages to customers. The outages were due to a third party’s illegal entry into the company’s computer and  SCADA systems: Starting at approximately 3:35 p.m. local time, seven 110 kV and 23 35 kV substations were disconnected for three hours. (...) were attacked, resulting in several outages that caused approximately 225,000 customers to lose power across various areas.  

Quelle: sans.org

The cyber attacks in Ukraine are the first publicly acknowledged incidents to result in power outages.

These incidents should be rated on a macro scale as low in terms of power system impacts as the outage affected a very small number of overall power consumers in Ukraine and the duration was limited. In contrast, it is likely that the impacted companies rate these incidents as high or critical to the reliability of their systems and business operations. 

However, the strongest capability  of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term  reconnaissance operations required to learn the environment and execute a highly synchronized, multistage,  multisite attack. 

The outages were caused by the use of the control systems and their software  through direct interaction by the adversary.

Implications for Defenders 

The cyber  operation was highly synchronized and the adversary was willing to maliciously operate a SCADA system to cause power outages, followed by destructive attacks to disable SCADA and communications to the field. The destructive element is the first time the world has seen this type of attack against OT systems in a nation’s critical infrastructure. This is an escalation from past destructive attacks that impacted general-purpose computers and servers (e.g., Saudi Aramco, RasGas, Sands Casino, and Sony Pictures). Several lines were crossed in the conduct of these attacks as the targets can be described as solely civilian infrastructure. Historic attacks, such as Stuxnet, which included destruction of equipment in the OT environment, could be argued as being surgically targeted  against a military target. 

The attacks highlight the need to develop active cyber defenses, capable and wellexercised incident response plans, and resilient operations plans to survive a sophisticated attack and restore the  system. 

Nothing about the attack in Ukraine was inherently specific to Ukrainian infrastructure. 

Information sharing is key in the identification of a coordinated attack and directing appropriate response actions.