First Ukraine, Next the World?

ukrainian_electric_gridRussian hackers caused a power outage in Ukraine during the holiday season, escalating fears of the vulnerability of the U.S. electric grid to cyber attacks. Half the homes in Ukraine’s Ivano-Frankvisk region were left without power for several hours Dec. 23.

“This is the first incident we know of where an attack caused a blackout,” said John Hultquist, an iSIGHT cyberespionage executive. “It’s always been the scenario we’ve been worried about for years because it has ramifications across broad sectors. (See coverage in the Washington Post.)

Attackers used a malware that wiped files off computer systems, shutting them down and causing the blackout. The attack was described as emerging from Russia.

A silver lining is that the outage was relatively short-lived and easily fixed. I would expect that U.S. cyber-security systems are far more robust. On the other hand, it is alarming to have this confirmation that shadowy groups are actively probing the vulnerability of electric power systems anywhere. The electric grid is the most essential infrastructure in the U.S.; without it the economy would collapse and society would dissolve into anarchy. Consider the Ukraine incident a shot across the bow. Let us hope that federal authorities treat the problem with appropriate seriousness and that the political class here in Virginia does the same.

For more about what Virginia is doing to harden its grid, see “Mad Max Coming to an Electric Grid Near You?

— JAB

There are currently no comments highlighted.

7 responses to “First Ukraine, Next the World?

  1. As I said before – computer security is for professionals – not weenies yet corporate and govt America seems to believe that securing computers is like slinging hash at diners…rather than more like the skill and expertise that you’d want and expect from a lawyer or Doctor or Engineer.

    you don’t have to be stupid – but oh so many demand to be so…

  2. I agree that Snowden showed us that our info systems can be accessed. It would not surprise me if the Chinese cannot already and are already accessing many of our systems.
    However, Ukraine is not the same world. They still are much more a Russian colony than say Canada is a British colony or even the USA which is to some degree a British colony. (Britain won two world wars by being able to deploy troops from America, India, and Australia etc.
    A primary language of Ukraine, but not official, is Russian with the second being Hebrew. And the skirmish between Moscow and Ukraine is something an internal squabble. Ukraine is absolutely critical to Russia and who knows what will happen next.
    Russia will never give up Ukraine no matter how much we encourage the Ukrainians to rebel. Crimea is Russia’s only southern major sea port and they will never give it up. Crimea is to the Russians as Florida is to the USA. So we cannot squeeze it away from Russia. Not without World War III

  3. A significant issue in modernizing our grid is cybersecurity. Much of our SCADA and other grid control mechanisms involve relatively slow acting electro-mechanical devices that often require manual resets and visual inspections to find the problems.

    The 21st century grid will transmit loads of data as well as electricity. There are customer privacy issues as well as reliability and security issues. We are probably more vulnerable at present than we would like to admit. There are many competing standards and not all devices communicate with one another. There is a large movement towards improving things but it will take a few years to sort it out and probably a few more to get it all functioning properly. More distributed generation and local storage can improve reliability if the grid is developed coherently. But we are not there yet. Some state regulators and utilities are working harder on this than it appears we are in Virginia.

  4. Living at a cabin with no phone or TV or internet before, outhouses, and candles, CERT training, I’ll be ok for a bit. 🙂

    At least my bill will be cheaper.

  5. re: ” Attackers used a malware that wiped files off computer systems, shutting them down and causing the blackout.”

    first – these are not serious attackers – they are vandals. serious attackers are after things like money so they’d use timed outages to then penetrate places which depend on grid power for their security. It would be the first part of a coordinated attack.

    Malware is software that communicates with a system using known protocols that that system uses. In other words – the Malware knows what kind of system it is and what protocols it communicates with.

    Malware is specific to specific systems. Malware intended for one kind of system will not be able to communicate with a different system that uses different protocols.

    so how does Malware KNOW what kind of system it’s communicating with ? It has to find out first – where it will try different protocols until it gets am affirmative response. and then it knows but some, many systems actually provide on query – the type of system they are and that makes it easy for the hacker to have the same system and spend as much time as they need figuring out how that flavor of system works. Properly secured systems do not self-id themselves and in fact – make it hard to query – ignoring spurious multiple attempts – much like what happens when you provide the wrong password several times.. you’re done.

    So, you don’t want to use off-the-shelf systems without altering them so they don’t work per the known spec.

    Most systems come unsecured out of the box… if you use an off-the-shelf variant of Linux or even commercial software – anyone can obtain them and “learn” how to hack them in their own sweet time then go after your system once they know how it works.

    so you don’t want to be using such out-of-box systems for any mission critical applications – it’s dumb. It’s like giving an attacker the blueprint to entire security configuration at a place like North Anna or DVPs master control center.

    you don’t do dumb stuff like that – if you are serious about computer security.

    so what you hear about – like this one – are systems that are not being maintained by professionals… where some engineer has been designated as the “computer guy”… and not someone with the proper background. It would be like expecting someone that knows how to install an electric switch to design the entire electrical system….

    serious companies and govt now have Chief Data Officers and even Chief Data Security Officers to go along with their CEO and CFOs.

    and for all those folks crying about the cost of a college degree that provides no job – there are real jobs for those that want to actually become skilled at jobs that are in more and more demand.

    the last guy in the world you want to maintain your system is someone who is “good with computers”.

Leave a Reply