POWER May 2016 - 47

INSTRUMENTATION & CONTROL
Why Power Generators Can't
Ignore the Ukraine Cyberattack
Although the December attack on Ukraine's power infrastructure mostly affected
the distribution grid, generators are just as vulnerable to cyberattack,
in part because they tend to rely more on outside contractors working
remotely. Here's the latest on the attackers' path and methods, areas in
generation that are potentially vulnerable, and recommendations to address
the vulnerabilities.
Michael Toecker, PE
D
ecember 23, 2015: Kyivoblenergo
Control Room, Kiev Region,
Ukraine. It's late afternoon, and a
grid operator is sitting at his workstation,
monitoring the flow of power in the local
distribution grid of the Kiev Oblast (Ukrainian
province). Around 3:30, the operator
notices the mouse cursor is moving. Grabbing
the mouse, he tries to move it out of
the way, but the cursor continues to move
on its own. The cursor's destination is a set
of 35kV and 100kV substations that provide
power to almost 80,000 customers
(Figure 1).
With deliberate action, a remote individual
had taken control of the operator workstation
and was systematically opening breakers
at 30 substations. Opening breakers doesn't
take much time; it was all over in 5 minutes.
For the people disconnected, and the utility
personnel deployed, recovery would take
considerably longer.
Kyivoblenergo wasn't the only utility
hacked remotely; two more control centers
suffered similar compromises, blacking out a
total of 225,000 customers for over 6 hours in
cold weather. Prior to opening the breakers,
attackers reconfigured battery backup systems,
disabling the automatic transfer functionality.
Once the breakers opened, those
backups failed to keep systems online, and
placed operators in the same darkness. And
while some details differ, a software component
called KillDisk was also used to fully
wipe the hard drives of corporate and control
systems, requiring time-consuming reinstallation
of the operating system and other important
software.
Operators discovered vital devices at
the individual substations had been reprogrammed
with invalid firmware, denying
remote control capability. The Ukrainian distribution
control centers had been completely
May 2016 | POWER
www.powermag.com
47
blinded and were relying on voice radio and
cellphones for communication, using pen
and paper to manage their local distribution
grids.
The Ukrainians, according to trustworthy
reports, had a reasonable security infrastructure
in place. They had a perimeter, limited
access for both data and personnel, and good
logging of ingress and egress from the control
system. However, their remote access
infrastructure used only a single means of
authentication: a password.
The root cause teams concluded the original
infection was via malicious Microsoft
Word and Excel documents sent to employees
of the utility via public email. When opened
on corporate systems, the Office documents
would install malware that would spy on users
and report that activity to attackers on the
Internet. That malware captured usernames
and passwords from the corporate desktops
of remote personnel, and attackers then used
these stolen credentials to access the control
system. Once on the control system, the attacker
had full access-and used that access
to great effect.
Power Generators Have Similar
Vulnerabilities
The Ukraine cyberattack co-opted the authorized
remote access already in place for
remote maintenance and used this access
to operate substation breakers using the
human-machine interface. The utilities hit
by the attackers used reasonable perimeter
controls, but the attackers spent enough time
compromising the corporate infrastructure to
effectively gain access with the usernames
and passwords of authorized control system
personnel. The basic process followed by the
attackers is shown in Figure 2.
This attack was similar to monitoring the
service entrance of an important building and
watching employees enter their passcode for
access to the building. Eventually, the attacker
will see the PIN code and will be able to
enter the building.
Generation personnel have become familiar
with remote access to the plant via the
Internet, because many generation facilities
are very reliant on having remote personnel
service and troubleshoot issues. In an era of
increasingly small profit margins for many
1. Notice of hack. This web-translated announcement from Kyivoblenergo announces
its control system was hacked, but the post was deleted a few days later. Courtesy: Chris
Sistrunk

http://www.powermag.com

POWER May 2016

Table of Contents for the Digital Edition of POWER May 2016

Contents
POWER May 2016 - Cover1
POWER May 2016 - Cover2
POWER May 2016 - Contents
POWER May 2016 - 2
POWER May 2016 - 3
POWER May 2016 - 4
POWER May 2016 - 5
POWER May 2016 - 6
POWER May 2016 - 7
POWER May 2016 - 8
POWER May 2016 - 9
POWER May 2016 - 10
POWER May 2016 - 11
POWER May 2016 - 12
POWER May 2016 - 13
POWER May 2016 - 14
POWER May 2016 - 15
POWER May 2016 - 16
POWER May 2016 - 17
POWER May 2016 - 18
POWER May 2016 - 19
POWER May 2016 - 20
POWER May 2016 - 21
POWER May 2016 - 22
POWER May 2016 - 23
POWER May 2016 - 24
POWER May 2016 - 25
POWER May 2016 - 26
POWER May 2016 - 27
POWER May 2016 - 28
POWER May 2016 - 29
POWER May 2016 - 30
POWER May 2016 - 31
POWER May 2016 - 32
POWER May 2016 - 33
POWER May 2016 - 34
POWER May 2016 - 35
POWER May 2016 - 36
POWER May 2016 - 37
POWER May 2016 - 38
POWER May 2016 - 39
POWER May 2016 - 40
POWER May 2016 - 41
POWER May 2016 - 42
POWER May 2016 - 43
POWER May 2016 - 44
POWER May 2016 - 45
POWER May 2016 - 46
POWER May 2016 - 47
POWER May 2016 - 48
POWER May 2016 - 49
POWER May 2016 - 50
POWER May 2016 - 51
POWER May 2016 - 52
POWER May 2016 - 53
POWER May 2016 - 54
POWER May 2016 - 55
POWER May 2016 - 56
POWER May 2016 - 57
POWER May 2016 - 58
POWER May 2016 - 59
POWER May 2016 - 60
POWER May 2016 - 61
POWER May 2016 - 62
POWER May 2016 - 63
POWER May 2016 - 64
POWER May 2016 - 65
POWER May 2016 - 66
POWER May 2016 - 67
POWER May 2016 - 68
POWER May 2016 - 69
POWER May 2016 - 70
POWER May 2016 - 71
POWER May 2016 - 72
POWER May 2016 - Cover3
POWER May 2016 - Cover4
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2025
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_october-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr-re-tech_september-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_september-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_august-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_june-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_july-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_may-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_april-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_march-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_february-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2023
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2023
https://www.nxtbook.com/accessintelligence/POWER/power-october-2023
https://www.nxtbook.com/accessintelligence/POWER/re-tech-supp-to-power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-august-2023
https://www.nxtbook.com/accessintelligence/POWER/power-july-2023
https://www.nxtbook.com/accessintelligence/POWER/power-june-2023
https://www.nxtbook.com/accessintelligence/POWER/power-may-2023
https://www.nxtbook.com/accessintelligence/POWER/power-april-2023
https://www.nxtbook.com/accessintelligence/POWER/power-march-2023
https://www.nxtbook.com/accessintelligence/POWER/power-february-2023
https://www.nxtbook.com/accessintelligence/POWER/power-january-2023
https://www.nxtbook.com/accessintelligence/POWER/power-december-2022
https://www.nxtbook.com/accessintelligence/POWER/power-november-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-140th-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-and-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-august-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-July-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-july-2022
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-april-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-April-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-march-2022
https://www.nxtbook.com/accessintelligence/POWER/power-february-2022
https://www.nxtbook.com/accessintelligence/POWER/power-january-2022
https://www.nxtbook.com/accessintelligence/POWER/power-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-top-plants-supp-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-november-2021
https://www.nxtbook.com/accessintelligence/POWER/power-october-2021
https://www.nxtbook.com/accessintelligence/POWER/power-september-2021
https://www.nxtbook.com/accessintelligence/POWER/power-august-2021
https://www.nxtbook.com/accessintelligence/POWER/power-july-2021
https://www.nxtbook.com/accessintelligence/POWER/power-june-2021
https://www.nxtbook.com/accessintelligence/POWER/power-may-2021
https://www.nxtbook.com/accessintelligence/POWER/power-april-2021
https://www.nxtbook.com/accessintelligence/POWER/power-march-2021
https://www.nxtbook.com/accessintelligence/POWER/power-february-2021
https://www.nxtbook.com/accessintelligence/POWER/power-january-2021
https://www.nxtbook.com/accessintelligence/POWER/power-december-2020
https://www.nxtbook.com/accessintelligence/POWER/power-november-2020
https://www.nxtbook.com/accessintelligence/POWER/power-october-2020
https://www.nxtbook.com/accessintelligence/POWER/power-september-2020
https://www.nxtbook.com/accessintelligence/POWER/power-august-2020
https://www.nxtbook.com/accessintelligence/POWER/power-july-2020
https://www.nxtbook.com/accessintelligence/POWER/power-june-2020
https://www.nxtbook.com/accessintelligence/POWER/power-may-2020
https://www.nxtbook.com/accessintelligence/POWER/power-april-2020
https://www.nxtbook.com/accessintelligence/POWER/power-march-2020
https://www.nxtbook.com/accessintelligence/POWER/power-february-2020
https://www.nxtbook.com/accessintelligence/POWER/power-january-2020
https://www.nxtbook.com/accessintelligence/POWER/power-december-2019
https://www.nxtbook.com/accessintelligence/POWER/power-november-2019
https://www.nxtbook.com/accessintelligence/POWER/power-october-2019
https://www.nxtbook.com/accessintelligence/POWER/power-september-2019
https://www.nxtbook.com/accessintelligence/POWER/power-august-2019
https://www.nxtbook.com/accessintelligence/POWER/power-july-2019
https://www.nxtbook.com/accessintelligence/POWER/power-june-2019
https://www.nxtbook.com/accessintelligence/POWER/power-may-2019
https://www.nxtbook.com/accessintelligence/POWER/power-april-2019
https://www.nxtbook.com/accessintelligence/POWER/power-march-2019
https://www.nxtbook.com/accessintelligence/POWER/power-february-2019
https://www.nxtbook.com/accessintelligence/POWER/power-january-2019
https://www.nxtbook.com/accessintelligence/POWER/power-december-2018
https://www.nxtbook.com/accessintelligence/POWER/power-november-2018
https://www.nxtbook.com/accessintelligence/POWER/power-october-2018
https://www.nxtbook.com/accessintelligence/POWER/power-september-2018
https://www.nxtbook.com/accessintelligence/POWER/power-august-2018
https://www.nxtbook.com/accessintelligence/POWER/power-july-2018
https://www.nxtbook.com/accessintelligence/POWER/power-june-2018
https://www.nxtbook.com/accessintelligence/POWER/power-may-2018
https://www.nxtbook.com/accessintelligence/POWER/power-april-2018
https://www.nxtbook.com/accessintelligence/POWER/power-march-2018
https://www.nxtbook.com/accessintelligence/POWER/power-february-2018
https://www.nxtbook.com/accessintelligence/POWER/power-january-2018
https://www.nxtbook.com/accessintelligence/POWER/power-december-2017
https://www.nxtbook.com/accessintelligence/POWER/power-november-2017
https://www.nxtbook.com/accessintelligence/POWER/power-october-2017
https://www.nxtbook.com/accessintelligence/POWER/power-september-2017
https://www.nxtbook.com/accessintelligence/POWER/power-august-2017
https://www.nxtbook.com/accessintelligence/POWER/power-july-2017
https://www.nxtbook.com/accessintelligence/POWER/power-june-2017
https://www.nxtbook.com/accessintelligence/POWER/power-may-2017
https://www.nxtbook.com/accessintelligence/POWER/power-april-2017
https://www.nxtbook.com/accessintelligence/POWER/power-march-2017
https://www.nxtbook.com/accessintelligence/POWER/power-february-2017
https://www.nxtbook.com/accessintelligence/POWER/power-january-2017
https://www.nxtbook.com/accessintelligence/POWER/power-december-2016
https://www.nxtbook.com/accessintelligence/POWER/power-november-2016
https://www.nxtbook.com/accessintelligence/POWER/power-october-2016
https://www.nxtbook.com/accessintelligence/POWER/power-september-2016
https://www.nxtbook.com/accessintelligence/POWER/power-august-2016
https://www.nxtbook.com/accessintelligence/POWER/power-july-2016
https://www.nxtbook.com/accessintelligence/POWER/power-june-2016
https://www.nxtbook.com/accessintelligence/POWER/power-may-2016
https://www.nxtbook.com/accessintelligence/POWER/power-april-2016
https://www.nxtbook.com/accessintelligence/POWER/power-march-2016
https://www.nxtbook.com/accessintelligence/POWER/power-february-2016
https://www.nxtbook.com/accessintelligence/POWER/power-january-2016
https://www.nxtbook.com/accessintelligence/POWER/power-december-2015
https://www.nxtbook.com/accessintelligence/POWER/power-november-2015
https://www.nxtbook.com/accessintelligence/POWER/power-october-2015
https://www.nxtbook.com/accessintelligence/POWER/power-september-2015
https://www.nxtbook.com/accessintelligence/POWER/power-august-2015
https://www.nxtbook.com/accessintelligence/POWER/power-july-2015
https://www.nxtbook.com/accessintelligence/POWER/power-june-2015
https://www.nxtbook.com/accessintelligence/POWER/power-may-2015
https://www.nxtbook.com/accessintelligence/POWER/power-april-2015
https://www.nxtbook.com/accessintelligence/POWER/power-march-2015
https://www.nxtbook.com/accessintelligence/POWER/power-february-2015
https://www.nxtbook.com/accessintelligence/POWER/power-january-2015
https://www.nxtbook.com/accessintelligence/POWER/power-december-2014
https://www.nxtbook.com/accessintelligence/POWER/power-november-2014
https://www.nxtbook.com/accessintelligence/POWER/power-october-2014
https://www.nxtbook.com/accessintelligence/POWER/power-september-2014
https://www.nxtbook.com/accessintelligence/POWER/power-august-2014
https://www.nxtbook.com/accessintelligence/POWER/power-july-2014
https://www.nxtbook.com/accessintelligence/POWER/power-june-2014
https://www.nxtbook.com/accessintelligence/POWER/power-may-2014
https://www.nxtbook.com/accessintelligence/POWER/power-april-2014
https://www.nxtbook.com/accessintelligence/POWER/power-march-2014
https://www.nxtbook.com/accessintelligence/POWER/power-february-2014
https://www.nxtbook.com/accessintelligence/POWER/power-january-2014
https://www.nxtbook.com/accessintelligence/POWER/power-december-2013
https://www.nxtbook.com/accessintelligence/POWER/power-november-2013
https://www.nxtbook.com/accessintelligence/POWER/power-october-2013
https://www.nxtbook.com/accessintelligence/POWER/power-september-2013
https://www.nxtbook.com/accessintelligence/POWER/power-august-2013
https://www.nxtbook.com/accessintelligence/POWER/power-july-2013
https://www.nxtbook.com/accessintelligence/POWER/power-june-2013
https://www.nxtbook.com/accessintelligence/POWER/power-may-2013
https://www.nxtbook.com/accessintelligence/POWER/power-april-2013
https://www.nxtbook.com/accessintelligence/POWER/power-march-2013
https://www.nxtbook.com/accessintelligence/POWER/power-february-2013
https://www.nxtbook.com/accessintelligence/POWER/power-january-2013
https://www.nxtbook.com/accessintelligence/POWER/power-december-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2012
https://www.nxtbook.com/accessintelligence/POWER/power-october-2012
https://www.nxtbook.com/accessintelligence/POWER/power-september-2012
https://www.nxtbook.com/accessintelligence/POWER/power-august-2012
https://www.nxtbook.com/accessintelligence/POWER/power-july-2012
https://www.nxtbook.com/accessintelligence/POWER/power-june-2012
https://www.nxtbook.com/accessintelligence/POWER/power-may-2012
https://www.nxtbook.com/accessintelligence/POWER/power-april-2012
https://www.nxtbook.com/accessintelligence/POWER/power-march-2012
https://www.nxtbook.com/accessintelligence/POWER/power-february-2012
https://www.nxtbook.com/accessintelligence/POWER/power-january-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2011
https://www.nxtbook.com/accessintelligence/POWER/power-october-2011
https://www.nxtbook.com/accessintelligence/POWER/power-september-2011
https://www.nxtbook.com/accessintelligence/POWER/power-august-2011
https://www.nxtbook.com/accessintelligence/POWER/power-july-2011
https://www.nxtbook.com/accessintelligence/POWER/power-june-2011
https://www.nxtbook.com/accessintelligence/POWER/power-may-2011
https://www.nxtbook.com/accessintelligence/POWER/power-april-2011
https://www.nxtbook.com/accessintelligence/POWER/power-march-2011
https://www.nxtbook.com/accessintelligence/POWER/power-february-2011
https://www.nxtbook.com/accessintelligence/POWER/power-january-2011
https://www.nxtbook.com/accessintelligence/POWER/power-december-2010
https://www.nxtbook.com/accessintelligence/POWER/power-november-2010
https://www.nxtbook.com/accessintelligence/POWER/power-october-2010
https://www.nxtbook.com/accessintelligence/POWER/power-september-2010
https://www.nxtbook.com/accessintelligence/POWER/power-august-2010
https://www.nxtbook.com/accessintelligence/POWER/power-july-2010
https://www.nxtbook.com/accessintelligence/POWER/power-june-2010
https://www.nxtbook.com/accessintelligence/POWER/power-may-2010
https://www.nxtbookmedia.com