The Ukrainian electric grid cyber attacks were not “success stories”

“That is a success story,” said Dale Peterson, chief executive at Digital Bond during a Tuesday presentation entitled, “It’s Not About ICS Security – It’s Business Risk and Safety” at the 12th Annual API Cybersecurity Conference November 7, 2017 in Houston, TX. “If you could have a conversation (with management) saying six hours is the most time we would have had an outage, that is a good conversation to have. Think about it for a moment, the attackers had to plan and coordinate an attack for months on end and they wanted the grid to go out and instead, the utility had a back-up plan after the technology failed and it was to go out to the substations and manually restore power. Six hours in not a bad amount of time to be without power. The glass is half full”.

I also participated in the API Conference giving a four hour short course on Monday, November 6th. The short course included a discussion of Aurora and what it could mean to refineries, pipelines, etc. Aurora is simply remotely opening breakers and then reclosing the breakers out-of-phase with the electric grid. The “Aurora affect” would damage or destroy Alternation Current (AC) rotating equipment (i.e., generators, induction motors, etc.) and transformers connected to the affected substations. June 13th, I gave a presentation to the American Nuclear Society Conference in San Francisco on “The Impacts of the Ukrainian Cyber Attack to Nuclear Plants” because of the damage Aurora could cause to nuclear plant control and safety equipment. There has already been an Aurora event in the US that has damaged mechanical equipment in a commercial facility shutting the facility down for weeks.

In both the 2015 and 2016 Ukrainian cyber attacks, the attackers did not reclose the breakers. If the attackers would have reclosed the breakers, there is a high probability the outages would not have been hours, but rather MONTHS and it could have been considered an act of war. The Ukrainian cyber attacks were not  “half full” success stories but a message to the Ukraine and the US as to what the attackers could do to our grids. This is particularly important to the US as the BlackEnergy malware has been in our electric grids since at least October 2014.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • Hi Joe, The second half of the well intentioned "quote" isn't exactly what I said, and it misses a couple of points in the session. I actually mentioned you at the end and believe we agree on this issue. 1. I called the 2015 Ukraine incident success story in cyber risk management. It was a failure of cyber security controls. 2. The thrust of the talk was that we (the community) should focus as much on the consequence portion of the risk equation as the likelihood portion. We put almost all the attention on security controls to reduce the likelihood portion of the risk equation. Addressing the consequence part of the risk equation often can lead to more effective and efficient risk reduction. 3. Addressing the consequence side of the risk equation places a cap/max on the risk, and it leads to better discussions with the Board and Senior Management. 4. Finally, we don't know if Ukraine 2015 success was actually luck or effective risk management. I brought up your contention that the Ukraine utility was lucky that the attacker did not reclose the breaker. That this would have caused an outage of months, not hours. I was surprised that there is so many differing opinions and analysis on this issue, so I talked with a number of people I respect that design substations and work with transmission and distribution systems. What I found was the answer actually supported the whole premise of the talk that asset owners should focus on consequence. The answer to whether reclosing the breakers would have caused Months of outage and large damage depends on the design and the protection in place. If the designers had put protection in place to prevent breaker reclose when the system was in a state that would result in damage, then it would be the actual Ukraine situation. If they did not, then it could very well result in the Months of outage. It's a great example where additional thought and expenditure on the protection to reduce maximum consequence could be more efficient, and definitely more effective, risk reduction from a cyber attack (or even non-malicious cyber incident as you often point out). Hope that clarifies. Dale Peterson Digital Bond, Inc. https://s4x18.com

    Reply

  • Hi Joe, The second half of the well intentioned "quote" in your Unfettered article isn't exactly what I said, and it misses a couple of points in the session. I actually mentioned you at the end and believe we agree on this issue. 1. I called the 2015 Ukraine incident success story in cyber risk management. It was a failure of cyber security controls. 2. The thrust of the talk was that we (the community) should focus as much on the consequence portion of the risk equation as the likelihood portion. We put almost all the attention on security controls to reduce the likelihood portion of the risk equation. Addressing the consequence part of the risk equation often can lead to more effective and efficient risk reduction. 3. Addressing the consequence side of the risk equation places a cap/max on the risk, and it leads to better discussions with the Board and Senior Management. 4. Finally, we don't know if Ukraine 2015 success was actually luck or effective risk management. I brought up your contention that the Ukraine utility was lucky that the attacker did not reclose the breaker. That this would have caused an outage of months, not hours. I was surprised that there is so many differing opinions and analysis on this issue, so I talked with a number of people I respect that design substations and work with transmission and distribution systems. What I found was the answer actually supported the whole premise of the talk that asset owners should focus on consequence. The answer to whether reclosing the breakers would have caused Months of outage and large damage depends on the design and the protection in place. If the designers had put protection in place to prevent breaker reclose when the system was in a state that would result in damage, then it would be the actual Ukraine situation. If they did not, then it could very well result in the Months of outage. It's a great example where additional thought and expenditure on the protection to reduce maximum consequence could be more efficient, and definitely more effective, risk reduction from a cyber attack (or even non-malicious cyber incident as you often point out). Hope that clarifies. Dale Peterson Digital Bond, Inc. https://s4x18.com

    Reply

RSS feed for comments on this page | RSS feed for all comments