Electricity infrastructure worldwide is increasingly becoming a target for cyberattacks that utilise various sophisticated techniques to bypass defences, ESET’s research reveals.
On 23 December 2015, around half of the homes in the Ivano-Frankivsk region in Ukraine (population around 1.4 million) were left without electricity for a few hours. The Ukrainian news media reported the cause of the power outage was a “hacker attack” utilizing a “virus”.
ESET, a global leader in cybersecurity, looked into the “hack” and found that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same time. ESET found that the attackers were using a malware named BlackEnergy, used to plant a KillDisk component onto the targeted computers that would render them unbootable.
The attack scenario was simple: the target received a spear-phishing email that contained an attachment with a malicious document. The document itself contained text convincing the victim to run the macro in the document, so social engineering was used instead of exploiting software vulnerabilities. When victims were successfully tricked, they ended up infected with BlackEnergy, which installed malicious components onto infected systems.
On 17 December 2016 another cyberattack on Ukraine’s power grid deprived part of its capital, Kiev, of power for an hour. ESET researchers have analysed samples of the malware capable of such attacks, detected by ESET as Win32/Industroyer. What set Industroyer apart from other malware targeting infrastructure was its use of four payload components, which were designed to gain direct control of switches and circuit breakers at an electricity distribution substation. To do so, they used industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas). The malware contained features designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.
But the electricity distribution grid itself is not the only target. On in July 2019 City Power, one of the companies that supplies electricity to South Africa’s biggest city Johannesburg, reported grappling with a ransomware attack that left some residents without power, as it has encrypted all their databases, applications and network. The applications that were affected included the company’s prepaid vending system, which made it impossible for people to ‘refill’ their accounts and buy electricity units.
The European Network of Transmission System Operators for Electricity has also admitted that it fell victim to a cyberattack in 2020. In a brief statement published on its website, the organisation said that it has found evidence of a “successful cyber intrusion” that affected its office network. ENTSO-E, which represents 42 electricity Transmission System Operators (TSOs) across Europe, emphasized that the compromised systems were not connected to any operational transmission network and that it has duly informed its members about the security incident.
Electrical grids worldwide have become more susceptible to cyberattacks due to the use of industrial control systems and connected networks. A US survey of electrical utilities a few years ago found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
More subtle attacks than total electricity outages were also detected. There have been at least two major cases of illicit cryptocurrency-mining software on compromised nuclear power plant control systems. Cryptocurrency mining is incredibly power-intensive, and therefore has a high environmental impact – in addition to the cost and the potential to cause power distribution problems as described above.
All this indicates that comprehensive and robust cybersecurity thinking needs to be incorporated into the planning and running of any power infrastructure operations, at every level, from legislation and regulation to operational level. In order to be able to prevent cyber-incidents when possible and to mitigate the fallout when they do occur, critical infrastructure organizations need to keep improving their security, reducing the effectiveness of phishing attacks (still amongst the most prevalent attack vectors), segregating and controlling network access, reviewing and testing both old and new hardware and software, doing digital due diligence on suppliers as well as monitor the kind of network probing and surveillance that may presage a full-on cyberattack.