The holiday season has not been a joyful time with respect to Ukraine’s power grid. Days before Christmas in 2015, remote hackers wrested control from Ukrainian grid operators, and, by digitally commandeering substations, shut off power for 225,000 customers for several hours. Then, in mid-December of last year, hackers developed a malicious code that, without any real-time human support, disrupted a Kiev transmission station and caused a substantial blackout that lasted roughly an hour in the capital—in the first fully automated grid attack ever seen.
With the holidays approaching again, the eyes of security experts and diplomats are on the energy companies in Ukraine and on the teams, believed to be based in Russia, that are responsible for the attacks. Researchers have linked these groups to the infiltration of energy companies in the United States and Europe. Experts are watching this month with concerns over safety in Ukraine and over the significant implications such an attack would have worldwide, including in the U.S.
Some evidence has already suggested that a new attack could be in the works. Robert Lee, the CEO and founder of the industrial-cybersecurity firm Dragos and a leader in analyzing both of the Ukraine grid attacks, says that in recent weeks he has observed an unusual spike in activity in Ukraine by the same group of developers who engineered the malware used in the 2016 attack. From last year’s attack until mid-November, Dragos had registered very little activity in Ukraine by the group, Lee says. “In our assessment, it would be completely reasonable to execute an attack this month,” he warns.
It’s possible that this spike in activity could be reconnaissance, preparation for a later operation, or simply an intention to create fear of a forthcoming hack. Michael Assante is the director of industrials and infrastructure at the cybersecurity-focused SANS Institute and a lead investigator of the 2015 attack. He says that, given the continuous and sustained access campaigns in the Ukraine—which have occurred against the backdrop of the clash in Eastern Ukraine that resulted from Russia’s annexation of Crimea, in 2014—it is unclear if an attack is being readied. “The attackers could launch an attack if they believed an attack served a purpose and felt that the risk of being foiled was low enough to proceed,” he says.
Now American officials are on the lookout for any features of a 2017 attack in Ukraine that could spell trouble if a nation-state were to focus its efforts on the high-risk target of the United States—perhaps in case of a war, when the norm against attacking infrastructure slackens.
Indeed, past attacks on Ukraine have informed officials’ understanding of the national-security threats to the U.S. For more than a decade leading up to the 2015 Ukraine attack, officials and diplomats discussed the possibility of an attack on infrastructure, according to Chris Painter, who led the State Department’s international cyberpolicy and diplomacy efforts from 2011 until this fall. “This is not a new thing on our radar, but we’ve actually seen it coming of age and happening, which has raised the alarm bells,” he says, characterizing such an attack on the United States as a low-probability but high-impact event. “We are in a new era where we will see more of these. It has gone from theoretical to more doable and practical.”
As Herb Lin, a cybersecurity scholar at Stanford University, points out, an attack in the United States of limited duration and scope, such as the 2015 and 2016 Ukranian grid attacks, would be “annoying but tolerable,” akin to a typical, localized blackout. But watching the Ukrainian grid is of particular interest in the U.S. because past attacks may well have been for purposes of signaling, according to Chris Inglis, who served as the deputy director of the National-Security Agency from 2006 to 2014. These attacks were “done visibly and in a venue where the United States couldn’t react,” he says.
Indeed, Lee observed that a number of the capabilities that the developers behind the 2016 attack had engineered into malware were not ultimately deployed in the attack. “It looked more like a proof of concept or a test run than a final outcome,” he says. It was as if this grid attack on a non-NATO country was meant to show off capabilities that would frighten or deter other powers—which a defining analysis by the journalist Andy Greenberg in Wired suggests is an element of the campaign of cyberassaults on Ukraine.
A cyberattack on the U.S. grid would almost certainly require the backing and resources of a nation-state. Researchers have connected the hackers responsible to the Russian government, though Russia has denied allegations of hacking in Ukraine. And Lee has observed that the attackers function as a complex organization with multiple teams and specialties, like a company or an intelligence agency—with the 2015 attackers working as an operations team and the 2016 attackers as a development team. Russia has proved its willingness to use cybertools to meddle in the United States this year. Further, U.S. government officials expect more sophisticated and widespread cyberoperations from Russia, especially around the 2018 midterm elections.
“What worries me most about Russia is not its technology, but its audacity and their willingness to cross the line,” Inglis says. “They have proved themselves willing to do things that cross every definition of red line.”
Still, the capabilities deployed against Ukraine only mean so much for the United States. The U.S. power grid belongs to a diverse set of mostly private-sector owners, and much of it is heavily regulated. It would be more difficult to attack a grid of this complexity. At the same time, the U.S. grid is more digitally dependent. Where Ukraine was able to restore power within hours by reverting to analog operations, a heavy reliance on automation in the United States limits this recovery option. “I’d be concerned if, on the receiving side, we make the mistake of digitizing too much,” Inglis says. “The benefit of a manual backup showed itself [in Ukraine] as a feature as opposed to a piece of legacy. Right now, in the United States, there are some places with manual capabilities and others where there aren’t.”
Experts agree that power companies are making strides toward increasing the defensibility and readiness of the U.S. grid, but there is a ways to go. “We have certainly learned that current defenses should not be considered adequate when facing attackers who are experienced and equipped to target power systems,” wrote Assante, who has also worked in the leadership of American Electric Power and the North American Electric Reliability Corporation.
“We have to step up our game,” Painter ays. “Clearly there are malicious actors that want to mess with these systems, and I can’t say that we’ve done enough or that industry has done enough.”
Yet, a well-financed, imaginative adversary with the backing of a nation-state could seemingly could come up with any number of attacks on American systems (just as the United States can). For example, one high-value target in the United States would be large transformers, which enable the bulk of transmission of electricity. “They weigh hundreds of tons, cost millions of dollars, take months to build,” Lin says. A cyberattack on such transformers could result in power losses lasting for weeks or months if backup transformers were not in place—and they often aren’t. (Indeed, transformers are subject to threats outside the digital realm, and were the target of a California sniper attack in 2013.)
While the technical defense of each component of a power grid presents numerous challenges, defending a grid does not always come down to patching vulnerabilities. In the 2015 Ukraine attack, for instance, hackers did not engineer technically sophisticated tools. Instead, they used phishing emails and learned insider knowledge, executing legitimate operations but doing so to inflict damage. “This is less a technical issue—though there are serious technical challenges to be solved—than a people issue about cognizance, responsibility, and accountability,” Inglis says.
As they look to Ukraine this month, experts say it would be particularly concerning to see an attack affecting a larger area, spreading on autopilot, or lasting for more than a day. Of course, any potential second-order effects, such as loss of life, would raise the stakes—as would a domino effect in which a power outage also disrupted telecommunication or air-traffic systems.
And in the United States, officials are learning to live with uncertainty about the grid. “It is a fact of life that we could lose power for a couple of hours due to a foreign power,” Lee says. “We don’t have to panic about it, but we do need to come to terms with this reality while working to make it harder to achieve.”