At MEI Security we frequently cover the Ukrainian power grid attack in our work with clients. This successful attack clearly demonstrates vulnerabilities in critical infrastructure. Whether it is electrical power, water treatment and delivery or communications including telephones and internet service, reliable functionality of infrastructure is critical to the smooth function of our society. This infrastructure is managed through Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems. The Ukrainian power grid attack took advantage of well-known weaknesses in humans and in ICS & SCADA hardware to succeed. Once in, the attackers planned to disrupt the system and simultaneously increase the difficulty of recovery.
The attack began with spear phishing email campaign to administrators. The malicious traffic exploited a well known feature of Microsoft Word to deliver malware and gain an initial foothold in the target network. With this foothold the attackers pivoted to other systems, spending months exploring the network environment and harvesting credentials undetected. Among these credentials were those used by staff to connect remotely by VPN to the SCADA networks. Once in the SCADA networks, the attackers were able to overwrite control system firmware making recovery much more difficult when the trap was finally sprung. This attack even included a denial of service phase which flooded telephone lines with bogus calls, thus impeding swift, cohesive incident response. Based on the scope and sophistication of the attack, many security professionals suspect the attackers were at least aided by (if not fully supported and directed by) a hostile nation state.
There are lessons to be learned from this and other attacks. As our environments become more and more digital, as our infrastructure controls become more networked, they are simultaneously exposed to additional risk. While private industry is often quick to adjust their budgeting, Federal, State and Municipal organizations often exhibit a more measured approach to change. A recent story in SC Magazine1 highlighting the failure of the US Department of the Interior’s to comply with respected industry standards illustrates the point. Regardless of this example, it is clear that we have a long way to go to achieve a more robust and resilient cyber security posture – especially for our critical infrastructure.