On December 23, 2015, the Ukrainian Prykarpattya Oblenergo power station was hacked causing dozens of substations to lose power. During the six hours the power was out temperatures dropped to freezing causing water line damage to many homes. Thankfully, engineers in the region were able to take manual control over the power station and restore electricity. The Ukrainian government blamed Russia for the first successful cyber attack on a power grid in human history.
One year later the hackers were back for an even bigger power grid transmission station in Kiev. The virus they planted this time deleted crucial files, crashed the operating system and prevented engineers from rebooting the system. Engineers eventually had to switch to manual control at one of the substations to get the power back on. Wired, reporting on the attack wrote that they could “have done much more damage than they did if they had decided to physically destroy substation equipment making it harder to restore power….”
And it is not just Russian hackers causing trouble. According to Foreign Policy, the Stuxnet virus that ravaged Iran’s nuclear facility in 2013 was far more dangerous that first admitted. The virus, alleged to be a joint U.S./Israeli project, destroyed about one fifth of Iran’s nuclear centrifuges by causing them to spin out of control. The intended effect was not to destroy but to reduce the lifetime of the centrifuges. Only after years of undetected infiltration was the second variation released to attack the centrifuges themselves and self-replicate to all sorts of computers. The first version was only detected with knowledge of the second. Of course the U.S. and Israel deny being behind the attack.
While we were allegedly probing Iran’s nuclear power grid, “Chinese” hackers were probing America’s electrical grid which serves as a reminder of a potential cyber attack that could far surpass the destructive impact of Stuxnet. And this time it probably wouldn’t be unintended!
American software company Symantec reported the hacking group known as “Dragonfly” had successfully gained unprecedented access to electric facilities across Europe and North America. The group, identified as Dragonfly 2.0 in operation since 2011, targeted dozens of ‘unidentified’ energy companies in the spring and summer of this year using malicious emails, watering hole attacks and trojanized software to gain access. The company reported to DHS that some code strings were in Russian and others in French.
So why did the group stop short of causing a power outage? Wired concludes that they may have been seeking the option to cause an electric disruption but waiting for an opportunity that would be most strategically useful—say, if an armed conflict broke out, or potentially to issue a well-timed threat that would deter the US from using its own hacking capabilities against another foreign nation’s critical infrastructure. “If these attacks are from a nation state, one would expect sabotage only in relation to a political event.”
A lack of diligence preparing America’s critical infrastructure has made its grid especially vulnerable. A recent survey of the computers behind the machinery in utilities such as power plants, water treatment centers, traffic controls uncovered more than 500,000 potential targets.
Nations have had the capability to make attacks that could have caused loss of life for many years,” Jason Healy, director of the Cyber Statecraft Initiative of the Atlantic Council, told MIT. Causing an extended power outage doesn’t take much. The main vulnerability is that U.S. utility control systems were never designed to protect against the risks of being connected to the Internet. By taking over the computers and network gear that connect to controllers of industrial systems, hackers could overload and blow all of the transformers on those systems at the same time.
In 2007 a team at Idaho National Lab demonstrated the physical ramifications of a digital hack by sending a mere 21 lines of code that permanently destroyed a 2.25 megawatt diesel generator. That generation is not all that different from the equipment that sends hundreds of megawatts to consumers. With the right exploit, it is possible that hackers could permanently disable power generation equipment or the massive, difficult to replace transformers that serve as the backbone of our power system.
What saved the Ukrainian power grid attack was the ability of their engineers to return to manual control. Few power stations in America have that ability and fewer engineers even know how to operate the manual controls if they exist. The virus used in the Ukraine – BlackEnergy – has already been planted in American infrastructure once before and truth be told – it or something even worse could already be hiding in software that operates our power grids.
The economic cost of a hack on our power grid? Lloyd’s of London estimate it at $243 billion. Workplaces would be empty and stores looted. Rioters would fill the streets while hospital patients die as backup generations fail. Water supplies would be impacted due to the loss of power to pumps. Supplies of potable water would become limited across the country. Leakages, both from chemical plants and sewage plants would affect millions. In other words – total chaos.
A DOD report released in February summed it up nicely. “The unfortunate reality is that, for at least the coming five to 10 years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the U.S.’s ability to defend and adequately strengthen the resilience of its critical infrastructures.”
Don’t you just love computers?