Lessons and advice from the Ukraine cyberattacks

Ukraine has been hit with two major cyberattacks on their critical infrastructure in the last year-and-a-half. First steps of the attack were executed through the HMI. Operators saw the mouse point moving in front of them, and they had no control of it. A cybersecurity expert and investigator explains the attack and what this means for industrial security as a whole.


Ukraine suffered a cyberattack on its electric grid that shut down power in Kiev, the nation's capital, for an hour in December 2016. However, the attack was much deeper than just the grid. It was a systemic attack hitting key governmental and infrastructure points across the country.

The attack ended up being very similar to the attack that struck the Ukrainian power grid in December 2015.

But unlike the 2015 cyberattack that cut out 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the electrical transmission-level substation Pivnichna, a remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.

"In the Ukraine there was a huge wave of attacks going on," said Marina Krotofil, lead security researcher at the Honeywell Industrial Cybersecurity Lab and an investigator on the utility attack during an interview with ISSSource. "None of the attacks were targeted at maximum damage. Interaction, yes. Sabotage, yes. But no maximum damage. Attackers shut down the RTUs which controlled circuit breakers. So, basically the RTUs were sent offline, there was a command that said go offline and shut down. If the RTUs are not controlling the circuit breakers they would fail open and this is how the substation disconnected from the power grid. (The attackers) could have done so much more, but they did not. Very quickly the RTUs were put online and everything was reconstructed and within an hour everything was working."

Krotofil said they have theories on who did this and why they did it, "But we cannot talk about it right now."

"As you can see from the entire Ukraine, the power utility was just part of the picture. The entire Ukraine was attacked. It seems within this specific campaign in December there was no intention to cause maximum damage anywhere. It doesn't matter what was attacked, railway, or power utility or governmental organization there was no major damage," she said. "I am not claiming the attackers won't do more damage in the future."

Comparing the two attacks

By doing a comparison to last year, they were able to make out a relationship between the two attacks. "It was unique in the sense the style was very recognizable from other attacks from last year. You go to the host, you look for the same looks and you find them. You can clearly recognize the style," Krotofil said.

Then she added an ominous note.

"The attack group clearly became more sophisticated and more organized," Krotofil said. "The level of sophistication and preparedness and organization was significantly higher from last year."

Sometimes it is easy to attack areas not considered secure because of a lack of technology on site, however this was not the case at the Pivnichna substation.

"This was one of the most highly automated substations in Ukraine," Krotofil said. "It was not clear if it was selected on purpose or not because there were a lot of YouTube videos on the substation. There was a lot of publicity because this was one of the substations that was just upgraded with all of the latest automation technology. While it ran some old systems, it was highly automated and there was a lot of public information on it."

Was Ukraine attack preventable?

With an attack on an electric utility such as the one in Kiev, Ukraine, the question begs to be asked: What could have been done to prevent the incident from happening?

"They could not have avoided this attack because it is very targeted," Krotofil said. "The attacker wanted to get in."

Any dedicated attacker that is well financed and has the time and energy to focus on a specific target will most likely succeed. But it doesn't have to be that way. What is at issue is manufacturers are just at the beginning stages of implementing security programs at their facility.

"Now the entire world is going from old infrastructure to updating switches, to perimeter security which are the first steps to be done to start security. Many companies are in the opening stages, but there are industries like oil and gas that are more advanced. It is a very slow process," Krotofil said.

In this attack, the intruder put all their efforts in getting through the perimeter.

"Once the intruder is in the perimeter, they will try to blend in as soon as possible," she said. "They will obtain some legitimate credentials and they will start acting using the legitimate credentials. Once they blend in, no network monitoring will show you because you have legitimate credentials so then you have to start doing behavioral monitoring.

Specifically, in this case, the intruder was determined to get in, no organization could prevent this type of attack. Only a few very prepared organizations could prevent this type of attack."

<< First < Previous 1 2 Next > Last >>

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me