WASHINGTON —
The Obama administration has warned the nation’s power companies, water
suppliers and transportation networks that sophisticated cyberattack techniques
used to bring down part of Ukraine’s
power grid two months ago could easily be turned on them.
After an extensive inquiry,
American investigators concluded that the attack in Ukraine on Dec. 23 may well
have been the first power blackout triggered by a cyberattack — a circumstance
many have long predicted. Working remotely, the attackers conducted “extensive
reconnaissance” of the power system’s networks, stole the credentials of system
operators and learned how to switch off the breakers, plunging more than
225,000 Ukrainians into darkness.
In interviews,
American officials said they have not completed their inquiry into who was
responsible for the attack. But Ukrainian officials have blamed the Russians,
saying it was part of the effort to intimidate the country’s political leaders
by showing they could switch off the lights at any time.
“They could be right,” said one senior administration
official. “But so far we don’t have the complete evidence, and the attackers
went to some lengths to hide their tracks.”
Even after it has reached a conclusion, the White
House might decide not to name the attackers, just as it decided not to
publicly blame China for the theft of 22 million security files from the Office
of Personnel Management.
But American intelligence officials have been
intensely focused on the likelihood that the attack was engineered by the
Russian military, or “patriotic hackers” operating on their behalf, since the
first reports of the December blackout. The officials have found it intriguing
that the attack did not appear designed to shut down the entire country. “This
appears to be message-sending,” said one senior administration official with
access to the intelligence, who requested anonymity to discuss the ongoing
inquiry.
Equally interesting to investigators was the technique
used: The malware designed for the Ukrainian power grid was directed at
“industrial control systems,” systems that act as the intermediary between
computers and the switches that distribute electricity and guide trains as they
speed down the track, the valves that control water supplies, and the machinery
that mixes chemicals at factories.
The most famous such attack was
the Stuxnet worm, which destroyed the centrifuges that enriched uranium at the
Natanz nuclear site in Iran. But that is not an example often cited by American
officials — largely because the attack was conducted by the United States and
Israel, a fact American officials have never publicly acknowledged.
Experts in cybersecurity regard the Ukraine attack as
a teaching moment, a chance to drive home to American firms the vulnerability
of their own systems. “There’s never been an intentional cyberattack that has
taken the electric grid down before,” said Robert M. Lee of the SANS Institute.
Mr. Lee said that while it was still not possible to determine who conducted
the attack — what is called “attribution” in the cyber industry — he noted that
it was clearly designed to send a political message.
“It was large enough to get
everyone’s attention,” he said, “and small enough not to prompt a major
response.”
The warning issued last
Thursday by the Department of Homeland Security provided the
first detailed account of the Ukrainian attack, based on the findings of a
series of government experts who traveled to Ukraine to gather evidence.
The attack described by the
Homeland Security document was highly sophisticated. The attackers gained
entry, it appears, by sending a series of “spearphishing” messages that led
someone in Ukraine to unintentionally give them access. Once they had that, the
attackers mapped the system, much as the North Koreans mapped Sony
Entertainment’s computers before attacking them in the fall of 2014
.Then a series of cyberattacks
were carefully coordinated to occur within 30 minutes of one another on Dec.
23. The “breakers” that disconnected power were operated “by multiple external
humans” through secure communication channels. The hackers then wiped many of
the systems clean using a form of malware aptly named “KillDisk” which erased
files on the systems and disabled them. They wiped out the “human-machine
interface” that enables operators of the electric system to run those systems —
or get them back in service — from their computers.
For extra measure, the hackers even managed to
disconnect backup power supplies, so that once the power failed, the computers
could not turn them back on.In
vestigators say that in the end, the Ukrainians may
have been saved by the fact that their country relies on old technology and is
still not as fully wired as many Western nations — meaning they were able to
restore power by manually flipping old-style circuit breakers.
“The bad news for the United States is that we can’t
do the same thing,” said Ted Koppel, the former ABC News anchor who published a
best seller last year, entitled “Lights Out,” about the vulnerability of the
American electric grid.
“We have 3,200 power companies, and we need a precise
balance between the amount of electricity that is generated and the amount that
is used,” he said. “And that can only be done over a system run on the
Internet. The Ukrainians were lucky to have antiquated systems.”
The report from Homeland Security recommended a series
of common-sense steps: Make sure that outsiders accessing power systems or
other networks that operate vital infrastructure can monitor the system, but
not change it; close “back doors” — system flaws that can give an intruder
unauthorized access; have a contingency plan to shut down systems that have
been infected, or invaded, by outsiders.
But all those systems make it harder for legitimate
operators to use the Internet to keep vast systems operating, from a smartphone
or laptop if necessary.
No comments:
Post a Comment