On Dec. 23, a blackout hit the western part of Ukraine, affecting a region served by three power-generation centers. As the two power companies affected by the outage recovered, their support centers were inundated with fake phone calls, blocking legitimate customers from reaching the companies's staff. Within hours, officials for the power companies concluded that a coordinated attack on their information systems, including malware that deleted infected systems, was responsible for the outages.
Industrial control system (ICS) security experts have since confirmed many of the details of the attack. While the companies recovered within hours, the impact of the attack will take far longer to become apparent, Robert M. Lee, a SANS-certified instructor and ICS security expert, told eWEEK.
For more than a decade, security researchers have warned manufacturers and power companies that their networks are vulnerable. Yet demonstrations tend to have a much greater impact and could convince other cyber-attackers to focus on power companies, he said.
"The big lesson here is that someone crossed the threshold of having an actual cyber-attack—not just an intrusion, or malware on the network—but that someone actually brought down a power system through cyber means," said Lee, a former cyber-warfare operations officer for the U.S. Air Force. "That is an historic event, it has never occurred before, and there needs to be an international response by political leaders to talk about this because it sets a precedent going forward."
While security professionals have often warned about the vulnerability of critical infrastructure, attacks continue to be relatively rare. While a variety of cyber-focused actors have begun targeting ICS environments, the lion's share do not get past the front door. In its summary of incident response statistics, the ICS Cybersecurity Emergency Response Team (ICS-CERT) found that 69 percent of attacks in 2015 did not successfully gain access to any system within a critical-infrastructure organization. However, attackers are becoming more successful: 12 percent of attacks compromised control systems in 2015, compared with 9 percent in 2014.
"We've all known for years now the critical infrastructure has been vulnerable, but what has really made this an issue is the convergence of information networks connected to the Internet and the operational ICS networks," Ed Cabrera, vice president of cyber-security strategy at Trend Micro, told eWEEK. "Companies want remote support and they want real-time metrics for billing, for example, but that accessibility exposes the networks to attack."
While Ukrainian officials have blamed Russia for the attack—a likely scenario—there is no solid evidence of such a connection, according to the SANS Institute's Lee. In addition, while the attacker used a common malware program known as BlackEnergy, along with a component that wiped the hard drives of infected systems, that capability is unlikely to have caused the outage, he said.
Yet critical-infrastructure firms and political leaders should take some powerful lessons away from the incident.
1. Critical infrastructure will be a target
Attacks on critical infrastructure have generally fallen into three categories. Security researchers have demonstrated significant vulnerabilities in the technologies and systems on which critical infrastructure firms rely. Malware infections have disrupted the information networks and systems at critical-infrastructure firms. And a very small number of nation-state attacks, such as Stuxnet, have led to actual physical damage.
Most attacks fail to gain access to critical systems, but more than half of critical infrastructure firms surveyed by Trend Micro saw an increase in attacks against their systems in 2015. Only 7 percent saw a decline.