Power grids at risk as Stuxnet successor emerges in Ukraine

12 Jun 2017

Image: hxdyl/Shutterstock

Cybersecurity experts believe an attack on Kiev’s power grid in 2016 is evidence of one of the biggest threats to industrial control systems since Stuxnet.

A brief, one-hour power outage in northern Kiev last December could mark the staging point for one of the most concerning pieces of malware in almost a decade.

Credited with bringing down Ukrenergo, the malware – known to cybersecurity companies ESET and Dragos as Industroyer and Crash Override, respectively – enabled hackers to order industrial computers to shut down.

This, essentially, allowed for remote disabling of energy infrastructure.

Stuxnet, Industroyer, Crash Override

Remote access

Dragos has since claimed that the attack is sophisticated enough to bring down portions of a nation’s energy grid for several days.

But, according to Fortune, this specific piece of malware could not shut down an entire grid – yet. Dragos founder Robert Lee went as far as contacting US authorities and power companies to directly address the potential threat.

The sample of Crash Override that was analysed by Dragos is capable of attacking power operators across Europe, according to Lee.

“With small modifications, it could be leveraged against the United States,” he said.

Global reach

The reference to ‘small modifications’ shows just how broad this malware is – not tailored to the Ukraine grid, rather, it is potentially global.

“The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world,” said Anton Cherepanov, senior malware researcher at ESET.

ESET claims that the malware is capable of directly controlling electricity substation switches and circuit breakers.

“It uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems and other critical infrastructure,” said the company.

This means that the potential impact ranges from turning off pieces of equipment to more widespread, coordinated failures and damages.

Remembering Stuxnet

“Industroyer’s ability to persist in the system and to directly interfere with the operation of industrial hardware makes it the most dangerous malware threat to industrial control systems since the infamous Stuxnet, which successfully attacked Iran’s nuclear program and was discovered in 2010,” said Cherepanov.

ESET believes that the real danger lies in how the malware is capable of controlling systems directly.

To do so, it uses industrial communication protocols that, unfortunately, are used globally, including in key utility systems such as water or gas.

“The problem is that these protocols were designed decades ago and back then, industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind,” according to Eset’s report.

“That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak’ those protocols.”

Gordon Hunt was a journalist with Silicon Republic