How Power Grid Hacks Work, and When You Should Panic
In 2017, it can sometimes seem like power grids are practically crawling with digital intruders. Over just the last four months, news has emerged that Russian hackers penetrated a nuclear power plant, that the same group may have had hands-on access to an American energy utility’s control systems, that another group of Kremlin hackers used a new form of automated malware to induce a power outage in Ukraine—and now this week, that North Korean hackers breached an American energy utility. Reading those headlines, you’d be forgiven for thinking that hacker-induced blackouts were a near-weekly occurrence, not a twice-ever-in-history event.
But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack. What’s publicly referred to as a “breach” of an energy utility could range from something barely more sophisticated than a typical malware infection to a nation-state-funded moonshot months or years in the making. Those incidents could also have vastly different consequences, from mere data theft to a potentially catastrophic infrastructure failure.
It’s true that the last several years have seen a “stark spike” in hacking attempts on industrial control systems like power utilities, water, and manufacturing, says Rob Lee, a former NSA analyst who now runs the critical-infrastructure-focused security firm Dragos, Inc. But Lee says it’s crucial to keep a sense of proportion: Of the hundreds of well-funded hacker groups that Dragos tracks globally, Lee says that roughly 50 have targeted companies with industrial control systems. Of those, Dragos has found only six or seven groups that have reached into companies’ so-called “operations” network—the actual controls of physical infrastructure. And even among those cases, Lee says, only two such groups have been known to actually trigger real physical disruption: The Equation Group, believed to be the NSA team that used the Stuxnet malware to destroy Iranian nuclear enrichment centrifuges, and the Sandworm team behind the blackouts in Ukraine.
So when news arises that hackers have merely “penetrated” an energy utility—as North Korean hackers recently did—receive it with those numbers in mind, and not with the assumption that the next Stuxnet or Sandworm has dropped. “This is a world where people can die,” Lee says. “If we come out and say it’s a big deal, it should be a big deal.”
To that end, here’s WIRED’s guide to the different gradations of grid hacking, to help you dial in your panic to the appropriate level for the power-grid penetrations to come. And there will be more.
Step One: Network Breach
When government agencies or the press warn that hackers have compromised a power utility, in the vast majority of cases those intruders haven’t penetrated the systems that control the flow of actual power, like circuit breakers, generators, and transformers. They’re instead hacking into far more prosaic targets: corporate email accounts, browsers, and web servers.
Those penetrations, which typically start with spearphishing emails, or “watering hole” attacks that infect target users by hijacking a website they commonly visit, don’t necessarily differ from traditional criminal or espionage-focused hacking. Most importantly, they don’t generate the means of causing any physical damage or disruption. In some cases, the hackers may be performing reconnaissance for future attacks, but nonetheless don’t get anywhere near the actual control systems that can tamper with electricity generation or transmission.
‘This is a world where people can die. If we come out and say it’s a big deal, it should be a big deal.”
Rob Lee, Dragos Inc
Earlier this week, for instance, a leaked report from security firm FireEye raised alarms when it revealed that North Korean hackers had targeted US energy facilities. A followup report from security news site Cyberscoop asserted that at least one of those attempts successfully penetrated a US utility. But a subsequent FireEye blog post indicated that its analysts had only found evidence that the hackers had sent a series of spearphishing emails to its intended victims—a fairly routine hacking operation that doesn’t appear to have come close to any sensitive control systems.
“We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power,” FireEye’s statement reads. “Furthermore, we have not uncovered evidence that North Korean-linked actors have access to any such capability at this time.”
North Korea no doubt has ambitions to wield power over US grid systems, and the fact that they’ve taken the first step is significant. But for now those attacks—and any others that stop at the level of IT compromise—should be seen at worst as foreboding, rather than an imminent threat of hacker blackouts.
Step Two: Operational Access
Hackers poking around an energy firm’s IT system should cause some concern. Hackers poking at operational technology systems, or what some security experts call OT, is a far more serious situation. When hackers penetrate OT, or gain so-called operational access, they’ve moved from the computer systems that exist in practically every modern corporation to the far more specialized and customized control systems for power equipment, a major step towards manipulating physical infrastructure.
In one recent hacking campaign, for instance, Symantec revealed that a group of hackers it named DragonFly 2.0—possibly the same Russian group reported earlier in the summer to have broken into a US nuclear facility—had gained operational access to a “handful” of US energy firms. The intruders had gone so far as to screenshot the so-called human-machine interfaces for power systems, likely so that they could study them, and prepare to start flipping actual switches to launch a full-on grid attack.
“Evidence of a phish attempt and probably infection is one step in a ladder,” says Mike Assante, a power-grid security expert and instructor at the SANS Institute, asecurity-focused training organization. “Scrapes from an HMI is a few rungs up the access scale,” Assante says, contrasting the recent North Korean phishing with the Dragonfly 2.0 attack.
In theory, OT systems are “air-gapped” from IT systems, with no network connections between the two. But with the exception of nuclear power plants, which strictly regulate their operational systems’ disconnection from outside networks, that air-gap is often more permeable than it ought to be, says Galina Antova, a co-founder of the industrial control system security firm Claroty. She says that Claroty has never analyzed an industrial control facility’s setup and not found a “trivial” way in to its OT systems. “Just by mapping the network, we can see the pathway from IT to OT,” she says. “There are ways of getting in.”
But Dragos’ Lee counters that given the small proportion of hackers that actually do manage to cross that gap, it’s hardly a trivial distinction. That’s in part because while IT systems are somewhat standardized, OT systems are more customized and esoteric, making them far less familiar. “They can basically practice and train so that they can completely compromise IT networks,” Lee says. “If they want to get to operations networks, it’s going to be weird equipment and weird setups, and they’re going to have to learn that.”
Step Three: Coordinated Attack
Even when intruders have “hands-on-the-switches” access to grid control systems, Lee says, using that access effectively is far harder than it might seem. In fact, he argues that all actions ahead of flipping that switch are just a preparatory stage that represents only about 20 percent of the hackers’ work.
Beyond the obscurity of whatever equipment setup a utility may have, Lee points out that its physical processes can require real expertise to manipulate, as well as months more effort and resources—not just opening a few circuit breakers to cause a blackout. Even after hackers gain access to those controls, “I can confidently say they’re still not at a stage to turn off the power,” Lee says. “They could turn off some [circuit] breakers, but they’d have no understanding of the effect. They might be stopped by a safety system. They don’t know.”
In the Ukrainian blackout of late 2015, the first-ever confirmed case of hackers causing a power outage, for instance, the intruders manually opened dozens of circuit breakers at three different facilities across the country, using remote access to electric distribution stations’ control systems—in many cases by literally hijacking the mouse controls of the stations’ operators. Analysts who responded to the attack believe it likely required months of planning and a team of dozens working in coordination. Even so, the blackout it caused lasted just six hours, for roughly a quarter-million Ukrainians.
Hackers essentially have to chose between the scope and duration of a blackout, Lee says. “If they wanted to do the full Eastern Interconnect, that’s exponentially more resources,” he says, referring to the grid that covers nearly the full eastern half of the US. “And if they want to take it down for a full week, that’s an exponential of an exponential.”
Some grid hackers do appear to be putting in the work to plan a wider, more disruptive operation. The second Ukrainian blackout attack used a piece of malware known as Crash Override, or Industroyer, capable of automating the process of sending sabotage commands to grid equipment, and built to be adapted to different countries’ setups so that it could be deployed broadly across multiple targets.
That specimen of ultra-advanced grid hacking malware is troubling. But it’s also extraordinarily rare. And there’s a significant gap between a piece of Black Swan malware and the dozens number of grid-penetration incidents that often amount to little more than spearphishing. No power grid breach is a good thing. But better to recognize the difference between a dress rehearsal and the main event—especially when there are more of those events on the horizon.