This post was written by Michael J. Assante, SANS ICS/SCADA Lead and Tim Conway SANS Technical Director - ICS/SCADA Programs.
Around this same time last year, as many of us were preparing to enjoy our winter holidays with family and friends, exchanging gifts and eating entirely too much food, the cybersecurity community began learning of possible cyber-attacks against the Ukraine electric distribution system. In the days and weeks following the event, details of the cyber-attacks became known. Numerous technical papers and media articles were written and there was much discussion focused on the lessons that ICS defenders could learn from the events.
Today, only days from the 1-year anniversary of that first confirmed cyber-enabled attack on an electric power system, we are experiencing a bit of deja vu. Recent reports from Ukrainian media have indicated and increasing trend in malicious cyber-activity including distributed denial of service (DDoS) attacks on government websites and payment systems, and new report today of a new possible cyber-attack to the Ukraine electric system. But this time is different - where the previous attacks had impacted only the electric distribution system, this latest attack is reported to have resulted in the de-energizing of a transmission-level substation.
Here is a summary of what has been reported in scattered media reports about the latest events:
- Late in the evening on 17 December 2016 a control system failure or possible cyber security incident resulted in the de-energizing of a transmission-level substation (Severnaya or Novi Petrivtsi). The event resulted in outages to customers in specific districts of Kiev in the north-northwest region (pravoberezhzhya Kyiv and prylehlykh areas of kyiv) of the city (streets called out as Obolon, Minsk array, Bucha, Irpen).
- Ukrenergo has not ruled out that the power outage in Kyiv may have been caused by cyber attackers. In fact, it was suggested as the leading theory as reported by Vsevolod Kovalchuk, the head of the Ukrenergo.
- A report is being prepared by cybersecurity experts that should be released soon (no target time provided).
- The only substation directly involved was reported as the Severnaya [substation name] at Novi Petrivtsi [location of substation] (aka 'North' Substation).
- The outage impacted customers served by the local distribution company and directly by the transmission system on the bank of the Dniper River in Kyiv city and immediate area.
- The outage is reported to have lasted one hour and fifteen minutes. Restoration began 30 minutes from the start of the outage and included removing automatic control (switched equipment into manual mode). Power was fully restored in the early morning of December 18, 2016.
If the outage is confirmed to have been the result of a successful cyber-attack, the differences between this event and the confirmed events of December 2015 are significant. Impacting an electric distribution system is likely to result in loss of power to a limited geographic area. Impacting the electric transmission system has the potential to impact a wider geographic area causing cascading outages with the potential to damage extremely expensive and difficult to replace electric system components. If true, this attack not only represents further ratcheting of escalation in a very troubled part of the world but may also represent a sign of things to come as adversaries pursue ever increasing means and willingness to cause damage using cyber means. We at SANS will continue to monitor the public sources to identify the things that matter most to the ICS community and to identify the lessons that can be applied to the ICS systems you defend. Follow us on Twitter @SANSICS or in the SANS ICS Community Forum.