Defending Power Grids from Cyber Attack – Learning from the Ukraine Attack

March 2, 2021 by Leslie Provenzano

How can Live-Virtual-Constructive (LVC) simulations be used to assess resilience in the context of a high profile cyber attack? Taking a close look at one of the most important cyber attacks of the past decade offers unique insight concerning the ways that training, mitigation, and prevention can be boosted by employing the right analysis platform.

Power Grid Panic

In December of 2015, the world witnessed a troubling new advent – the first power grid outage caused by a cyberattack. The region was the western Ukraine, where malevolent actors took around 30 substations and two power distribution centers offline. The backup power equipment to those distribution centers was also disabled, further obstructing attempts to restore power. Over 230,000 residents were without electricity for up to six hours, and things could have been much worse. Many of the control centers were not back to full functionality even months after the attack.

The first-of-its-kind power grid attack was sophisticated and synchronized. Multiple facilities and companies were hacked in several different ways, requiring coordinated logistics, planning, and operations. Phishing emails facilitated initial access, then the hackers spent months exploring and mapping the networks to look for a vulnerability that would provide access to the supervisory control and data acquisition (SCADA) architecture that controls the power grid. By obtaining the personal credentials of employees, the attackers used a virtual private network (VPN) to compromise some of the Human Machine Interfaces (HMIs) on the systems. The HMIs that connect to electricity substations allowed the hackers to manipulate circuit breakers remotely, wreaking havoc for power station workers and everyone else on the grid. Different types of persistent, adaptive cyber attacks joined forces with the exploitation of human workers to create an attack that was as organized as it was impressive in its destructive potential.

The ramifications of the Ukraine attack are significant. If one of the world’s major power supplies could be infiltrated, what about others? Could similar methods be employed to launch attacks on American power operators? The US power distribution grid uses the same type of serial-to-Ethernet converters as the ones compromised in the Ukraine attack. In fact, a comparable attack on certain American power grid control systems could bear considerably worse results, as many lack a manual backup functionality. As advanced and secure as the Ukraine system seemed to be, it was still fell victim to a serious cyber attack.  Some American power and distribution centers are still lacking the necessary protocol and system. They must stay diligent about upgrading and optimizing their systems with the latest technological advancements to stay ahead of these attacks.

Concerns about the threat of cyberattacks on the industrial control systems found in electrical grids are very real. An Associated Press investigation revealed that, over a period of ten years, hackers were able to access US power plant networks around 12 times. In the year of the Ukraine attack, industrial control systems in the US were compromised at least 35 times, many of which were in the energy sector – which is attacked between 40 and 80 times each year in the United States.

A Model For Success

What are the lessons of the Ukraine attack, and what can be done? For power providers, total prevention isn’t realistic. Instead, they should be expectant of attacks, aim to detect them quickly, and be as prepared as possible to respond. Being equipped with the best possible tools plays a major role in cybersecurity, and that’s where SCALABLE Network Technologies  comes in.

Our EXata communications simulation platform can measure and assess the potential impact of different cyber attacks in a way that acutely identifies any and all weaknesses across network components. By providing comprehensive network, defense, and operating behavior modeling, EXata can provide real-time graphical views of traffic flows and device states. This level of visualization, data, and insight is key for developing an effective cyber defense and training staff for worst case scenarios.

So, how would SCALABLE have been able to assess the Ukraine breach? Every aspect of the attack can be modeled and prepared for using our network digital twin cyber resilience tools. From spear phishing to encrypted tunnels to KillDisk ransomware, EXata could have simulated the attack in advance to better evaluate a system and prepare it for such a scenario. With EXata, operators could have tested different mitigation and response strategies to better understand their weaknesses, recognize breaches quicker, and counter them more effectively.

For a deep dive into how SCALABLE’s cyber range could have better equipped an organization for the Ukraine attack, read all about the power grid attack and EXata’s preparatory capabilities in our new white paper – Ukraine Power Grid Attack: A Case Study on the Use of Network Digital Twins for Assessing Cyber Resilience. The report details the specific steps taken by the attackers and analyzes each aspect in relation to simulation modeling, describing the operational usefulness of digital twin technology in the context of a pertinent real-world event. It’s a must-read for anyone who needs to ensure the protection of critical operations and business services from all angles.

Download the full white paper here.