In December of 2015, 230,000 people in Western Ukraine lost power after 30 substations were mysteriously shut off. Contrary to what most people assumed at the time, this wasn’t an innocuous power outage. The authorities would later admit that the loss of power was caused by a cyber attack, which marked the first time that malware was successfully used to attack a power grid. A similar, albeit more sophisticated cyber attack, occurred one year later just outside of Kiev. Given the current tensions between Russia and Ukraine, it’s widely believed that the Russian government was responsible for these incidents.
However, there’s more to this story than meets the eye. A computer security company has been investigating these attacks, and has discovered the malware that was used to take down the grid. They’ve found that it’s far more dangerous and easier to use than anyone realized before.
The danger of the malware is that it can automatically trip the breakers within a power system that keep the electrical lines from being overloaded. If one breaker is tripped, the load is shipped to another portion of the power grid. If enough are tripped, in the right places, it’s possible to create a cascading effect that will eventually overload the entire system, said Weatherford, who was formerly the chief security officer at the North American Electric Reliability Corporation, the regulatory authority for North American utilities.
“In some cases, it could then take days to restart all the plants,” he said.
Two things stand out about the malware, dubbed “Industroyer” by the researchers — it’s an order of magnitude easier to use than previous programs and it wasn’t actually deployed to do any real damage, meaning whoever’s behind the December attack might simply have been testing the waters.
In other words, this malware can induce what’s often referred to as a cascading failure. This is what caused the massive blackout that occurred in the Northeastern US and Canada back in 2003. An overgrown tree branch in Ohio touched a power line, which caused that section of the grid to overload and shut down. The electricity had to be transferred to other power lines, which in turn also became overloaded. This chain reaction continued until 55 million people were without power.
Cascading failure is the perfect example of just how fragile our power grid can be.
Because our grid is so interconnected, something really small can have a huge effect on the wider system. Though the power grid in the US isn’t as vulnerable to humble tree branches as it used to be, it’s still quite vulnerable to the type of malware that was used to shut down parts of the grid in Ukraine.
Industrial control networks of the type used in power systems use communications protocols that are much less secure than the kinds of computer networks used by banks, retailers and businesses.
“They were developed years ago, without security in mind. They weren’t designed for smart grids or interconnectedness,” said Robert Lipovsky, a senior malware researcher with ESET…
…Industroyer’s ease-of-use is so disturbing because industrial systems are still playing security catch-up, said Raheem Beyah at the Georgia Institute of Technology in Atlanta.
“I knew we were going in this direction but I didn’t think it would be this soon,” said Beyah, who teaches a course on infrastructure hacking and protection for graduate computer science students.
Bayah says the software needed to take down an electrical grid no longer requires the resources of a nation to create. Adding a module to the malware is now “something that a strong computer science graduate student could do,” he said.
This “Industroyer” malware represents a new threat that people need to accept and prepare for. The power grid, which is the linchpin of our standard of living, is now vulnerable to software that is relatively easy to use. Though it seems likely that the Russian government was responsible for developing it, it could have just as easily been made and deployed by non-state actors on a shoe string budget.
This is a dangerous new reality that we live in. Now, someone with a modest education and a small budget can inflict billions of dollars in damages, and leave us all in the dark. Obviously, that makes widespread blackouts far more likely in the future.
And that potential is probably just the tip of the iceberg. It’s very possible that multiple cyber-attacks could keep us in the dark for weeks rather than just days. That would be more than long enough to cause society to disintegrate.