The blackout…revisited

This year has started with some frights for all of us who have responsibilities in secure operations in electric power grids. There is, on one hand, the Israel Electric Authority event. On January 27th we find headlines like these, from Fox News:

img5

Apparently the day came when someone had activated, at last, the Doomsday button and sent Israel, or was close to, to the middle ages. However, reality ended up being more prosaic and Apocalypse prophets had to sheathe again their keyboards once it was confirmed that, in the end, it was a case of ransomware in equipment belonging to a typical IT network, infected by the not-so-elegant phishing technique. Furthermore, as I am reading, the partial loss of electric supply on some clients could be attributed to the deliberate decision of personnel in charge of the grid operations who would have preferred to disconnect some load, instead of facing a complete network collapse. Moreover, it has been stated that operators reacted that way under the conviction they were under attack in a moment when the demand was growing at a high rate because of the low temperatures.

img2

How much truth there is in all of this? On one side, I acknowledge that the world is awaiting with real anxiety the moment when a cyberattack really provokes the collapse of a national electric grid. This anxiety is so strong, that the combination of the words Israel + Electric + Authority + Hacked unleashed a waterfall of headlines even before it was checked that, in ground truth, no one in the country had lost the electric supply. This is a variation of an old issue that makes so much damage to us, who make a living out of security, and who already denounced the Turkey case (see the articles ‘The blackout (I) and (II)’ in this blog), with the only difference being that in that precedent the only confirmed was the shutdown of a good part of the electric transport network.

img3On the other side, I can confirm that, again, there is scarce knowledge about the different ways an attack can be performed with the meaning of set back to an almost preindustrial state an entire nation. An here is when the next piece of news from this year’s beginning comes, transporting us this time to another conflict scenario: Ukraine.

By now, we all know that on December 23th of 2015 several regions of Ukraine were affected by a loss of power supply that lasted a couple of hours (It is hard to know how many people was affected. Estimations count them from dozens to hundreds of thousands). And we also know that, for the very first time, it has been confirmed that the root cause of all this was a proper cyberattack against the operational systems of distribution network.

img4

Indeed. This appears to be the apocalyptic scenario [Irony mode: ON] we were all waiting for: A sophisticated attack specifically directed to leave without power supply a portion of the population using an advance knowledge of the industrial processes and the associated control and supervision systems. And this is partially true. A lot of bandages have fallen in the electric sector on sight of the proof that something like this is technically possible. However, there is some shades to draw on this issue.

In the first place, the chosen mechanism was to switch, directly, the switches from the distribution lines that supplied energy to affected population. This is the equivalent to turn off the light switch from one of the rooms at home. And, likewise, this action leaves the lounge in a complete blackout, but this does not prevents me from using the other rooms. This is, it is an attack with limited reach. This relativization makes sense in the war context Ukraine is living in as, in any case, the damage done to the public image of companies is something we should not underestimate (just imagine if this happened in our country). Not to mention the self esteem of the service technical responsibles. On the other side, the attack seems quite elaborated as it includes spear phishing phases, reconnaissance with a trojan, probably BlackEnergy 2 (which would open backdoors in business systems), followed by an infiltration through a variation of the former, BlackEnergy 3, and at last the path search up to the operator stations.

Secondly, this mechanism, although limited, is the easiest possible and illustrates a fundamental principle when evaluating industrial cybersecurity: In most cases, the same systems and the way they operate and are maintained provide the tools that can be used to cause a disruption in the processes. This is something that we found again and again in the industrial systems evaluations we usually perform. This time, the attackers just opened the switchers using the system interfaces, as any operator would do. This phase ended up with a denial of service in order to avoid the operator awareness of the situation and an equivalent campaign against the phone switchboard of the fault notification service in order to prolong as much as possible the power outage.

In third place, the worst is yet to come. The awaited (almost craved, I would say, headlines in sight) Doomsday will come when someone achieves a disconnection waterfall of the lines and/or generators at the highest level of the power grid. Lets recall what we said in May in the wake of Turkish “incident”:

Attacking a national power grid in order to provoke a zero voltage is not trivial, notwithstanding that in the collective imagination of the XXI century those systems are the key infrastructure by excellence and apparently it constitutes the first objective for any kind of terrorist. We could think about two approximations. The first (…) consists of disconnect one by one all the infrastructure that supply all the clients: Either we open all switches in all transport lines, or we shutdown all the equipment on power generation plants, or disconnect them from the grid opening all the switches at the evacuation line, or we open all head switches of distribution lines. This implies a totally absolute infiltration level in the national electric systems and would require, in addition, a high capacity of command and control in order to coordinate all the actuations simultaneously (Indeed, it is not necessary a 100% infiltration, as eventually an imbalance will be induced in the system that will trigger a domino effect that will facilitate the work). But in this universe the resources are always scarce and this approximation does require an enormous effort. We have available, however, another way. Now that we know how electric systems work, seems obvious that a much more adequate path goes through provoking incidences in wisely chosen points that with the minimum effort trigger an imbalance that ends up in a domino effect.”

As we can see, the Ukraine case can be matched with the first scenario, but the one we must fear is the second one. Without letting drag ourselves by alarmism, it is conceivable that Ukraine’s “proof of concept” (with apologies to those affected) can prepare us for the worst. Meanwhile, its better not talking in excess. Examples as the Israel news case do not help at all to create the necessary awareness level in those responsible for this infrastructures.

(Translated from Spanish by Víctor Fernández Escorihuela)

See also in: