“That is a success story,” said Dale Peterson, chief executive at Digital Bond during a Tuesday presentation entitled, “It’s Not About ICS Security – It’s Business Risk and Safety” at the 12th Annual API Cybersecurity Conference November 7, 2017 in Houston, TX. “If you could have a conversation (with management) saying six hours is the most time we would have had an outage, that is a good conversation to have. Think about it for a moment, the attackers had to plan and coordinate an attack for months on end and they wanted the grid to go out and instead, the utility had a back-up plan after the technology failed and it was to go out to the substations and manually restore power. Six hours in not a bad amount of time to be without power. The glass is half full”.
I also participated in the API Conference giving a four hour short course on Monday, November 6th. The short course included a discussion of Aurora and what it could mean to refineries, pipelines, etc. Aurora is simply remotely opening breakers and then reclosing the breakers out-of-phase with the electric grid. The “Aurora affect” would damage or destroy Alternation Current (AC) rotating equipment (i.e., generators, induction motors, etc.) and transformers connected to the affected substations. June 13th, I gave a presentation to the American Nuclear Society Conference in San Francisco on “The Impacts of the Ukrainian Cyber Attack to Nuclear Plants” because of the damage Aurora could cause to nuclear plant control and safety equipment. There has already been an Aurora event in the US that has damaged mechanical equipment in a commercial facility shutting the facility down for weeks.
In both the 2015 and 2016 Ukrainian cyber attacks, the attackers did not reclose the breakers. If the attackers would have reclosed the breakers, there is a high probability the outages would not have been hours, but rather MONTHS and it could have been considered an act of war. The Ukrainian cyber attacks were not “half full” success stories but a message to the Ukraine and the US as to what the attackers could do to our grids. This is particularly important to the US as the BlackEnergy malware has been in our electric grids since at least October 2014.