SANS Industrial Control Systems Security Blog

E-ISAC and SANS Report On The Ukrainian Grid Attack

SANS ICSYesterday the SANS ICS team released its Defense Use Case (DUC) #5 analyzing the cyber-attack that impacted Ukraine on December 23, 2015. The paper is written from the perspective of what lessons that can be learned from the event.

The unprecedented cyber induced power disruption provides an opportunity for US electric grid asset owners and operators to consider mitigation measures that might have minimized/prevented the attack or at least provided an earlier alert that something bad was developing. It walks through the stages of attack mapping them to the ICS Cyber Kill Chain and details how the attackers were able to achieve the high-confidence attack. To some this may seem like old news as many reports began to surface within days of the event, but many of those included wild and erroneous speculation about what might have occurred. This report focuses only on the known facts without commentary or attempts at attribution and is a must-read for anyone charged with protecting the North American grid.

I've previously written about the vulnerabilities of the grid and the need for continued government and private sector cooperation and the US efforts following the Ukrainian event show that is actually happening. One thing is for certain - by understanding what happened there we can help prevent a similar occurrence here at home.


Ted GutierrezBio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.