IEEE Power & Energy Magazine - September/October 2016 - 53

breach unprotected electric equipment connected to an electric grid. It should now be clear that the Aurora risk is public
information that provides a formula for potential execution.
In fact, the December 2015 Ukrainian cyberattack was carried out using an approach very similar to Aurora.

Ukraine Cyberattack (2015)
On 23 December 2015, unknown attackers staged a wellcoordinated attack concurrently across three Ukrainian
regional energy distribution companies, a large Ukrainian
mining company, and a large Ukrainian rail company. The
attacks against the three electric distribution utilities commenced within 30 min of one another and impacted approximately 225,000 customers. The preparation for these attacks
initiated with phishing e-mails containing BlackEnergy 3
malware, which utilizes randomly generated bots, or web
robots, to support distributed denial of service attacks.
BlackEnergy was implanted to steal legitimate user virtual
private network (VPN) credentials. The attackers then used
the stolen VPN credentials to connect to the ICS/SCADA
network and remote access tools to control the SCADA
human-machine interfaces (HMIs).
Once inside these systems, the attackers had complete
access and ability to remotely control (open/close) the substation breakers. The attackers then installed their own custom
firmware on serial-to-Ethernet converters on devices at substations to disable them and reportedly executed KillDisk, a
software utility used erase and securely destroy all data on
storage devices, erase master boot records, and delete selected
logs. In at least one instance, Windows-based HMIs embedded in remote terminal units were also overwritten with KillDisk. The perpetrators also reportedly scheduled disconnects
for server uninterruptable power supplies (UPS) via the UPS
remote management interfaces; this was likely done to interfere
with restoration efforts. A denial-of-service attack was also
executed on the power companies' telephone systems, creating
further confusion for customers calling in to report an outage.
This attack reflects how deeply the electric utility industry has evolved into a new interconnected, cyber-dependent
set of operating systems that very few people, and perhaps
fewer utility industry leaders, fully and holistically understand. What is apparent is the challenge and effort by utilities to completely secure and defend these systems may be
even more difficult than the efforts by aggressors needed to
infiltrate and cause serious damage. It is important to note
that the methods utilized by the hackers were not necessarily
sophisticated but were well coordinated and demonstrated
the susceptibility of electric systems. Translation: the hackers made it look very easy.
This scenario can be considered a "benign" version of
the Aurora attack, as relays were remotely opened only.
As there was no equipment damage, engineers were able
to operate the system manually. Had the perpetrators chosen to close the circuit breakers out of phase, causing the
Aurora condition, the results could have been much worse,
september/october 2016

including equipment destruction. In this case, recovery might
have spanned at least several months and may have required
millions of dollars to replace damaged generation and transmission equipment.
The U.S. DHS issued an alert in 25 February 2006 that
emphasized that power companies should isolate ICS networks from any untrusted networks, especially the Internet.
This directive was easy to suggest, yet proved very difficult
to actually implement. The leaders of most companies surely
understand conceptually that action is required, but without
specificity these directives are not seen as practically implementable. In fact, according to a DHS ICS CERT Monitor
newsletter, many affected parties have struggled with such
advice, and the DHS now believes this is a prime factor in
how BlackEnergy has entered U.S. electric grids.
As previously highlighted, the Energy Policy Act of
2005 was the main impetus for FERC to designate NERC
as the electric reliability organization in 2007. Upon FERC's
approval, NERC's reliability standards became mandatory
within the United States. These mandatory standards include
CIP standards along with a number of additional requirements that are intended to address the security of cyberassets within the bulk electric system. These standards are the
only mandatory cybersecurity standards in place across the
U.S. electric grid infrastructure. Compliance with the standards does not protect an entity from all dangers. The initial
standards simply could not possibly cover every conceivable
risk. Considering all we know today, a vigilant utility must
go much further than nominal NERC CIP compliance.

What Does the Industry Need?
Given all the risks highlighted, what are the implications to
U.S. power companies, electric utilities, and independent system operators/regional transmission organizations all working to comply with NERC CIP requirements? (See Figure 2
for current NERC CIP standards.) Simply put, it means they
have more work to do to protect their operations. While compliance with the standards has been a good starting point for
utilities, the fact is that only certain equipment is covered
(equipment deemed critical) while other important devices
are not included under the standards' provisions. For instance,
SCADA and substations for subtransmission and distribution
facilities are not captured under the standards. Serial communication devices, such as serial-to-Ethernet convertors, are not
specified under the standards. Nor are embedded web browsers, such as in the UPS, included as a compliance requirement. These three examples reflect just a few of the categories
of unguarded equipment susceptible as entry points of attack.
Another concern experts have highlighted is the lack of
a requirement to take action to remove malware when it is
identified. The standards require only that the presence of
malware needs to be reported and accounted for. As the DHS
has stated, BlackEnergy currently resides in systems connected to the U.S. electrical grids; yet even for those inflicted,
the standards do not specifically require that malware such
ieee power & energy magazine

53



Table of Contents for the Digital Edition of IEEE Power & Energy Magazine - September/October 2016

IEEE Power & Energy Magazine - September/October 2016 - Cover1
IEEE Power & Energy Magazine - September/October 2016 - Cover2
IEEE Power & Energy Magazine - September/October 2016 - 1
IEEE Power & Energy Magazine - September/October 2016 - 2
IEEE Power & Energy Magazine - September/October 2016 - 3
IEEE Power & Energy Magazine - September/October 2016 - 4
IEEE Power & Energy Magazine - September/October 2016 - 5
IEEE Power & Energy Magazine - September/October 2016 - 6
IEEE Power & Energy Magazine - September/October 2016 - 7
IEEE Power & Energy Magazine - September/October 2016 - 8
IEEE Power & Energy Magazine - September/October 2016 - 9
IEEE Power & Energy Magazine - September/October 2016 - 10
IEEE Power & Energy Magazine - September/October 2016 - 11
IEEE Power & Energy Magazine - September/October 2016 - 12
IEEE Power & Energy Magazine - September/October 2016 - 13
IEEE Power & Energy Magazine - September/October 2016 - 14
IEEE Power & Energy Magazine - September/October 2016 - 15
IEEE Power & Energy Magazine - September/October 2016 - 16
IEEE Power & Energy Magazine - September/October 2016 - 17
IEEE Power & Energy Magazine - September/October 2016 - 18
IEEE Power & Energy Magazine - September/October 2016 - 19
IEEE Power & Energy Magazine - September/October 2016 - 20
IEEE Power & Energy Magazine - September/October 2016 - 21
IEEE Power & Energy Magazine - September/October 2016 - 22
IEEE Power & Energy Magazine - September/October 2016 - 23
IEEE Power & Energy Magazine - September/October 2016 - 24
IEEE Power & Energy Magazine - September/October 2016 - 25
IEEE Power & Energy Magazine - September/October 2016 - 26
IEEE Power & Energy Magazine - September/October 2016 - 27
IEEE Power & Energy Magazine - September/October 2016 - 28
IEEE Power & Energy Magazine - September/October 2016 - 29
IEEE Power & Energy Magazine - September/October 2016 - 30
IEEE Power & Energy Magazine - September/October 2016 - 31
IEEE Power & Energy Magazine - September/October 2016 - 32
IEEE Power & Energy Magazine - September/October 2016 - 33
IEEE Power & Energy Magazine - September/October 2016 - 34
IEEE Power & Energy Magazine - September/October 2016 - 35
IEEE Power & Energy Magazine - September/October 2016 - 36
IEEE Power & Energy Magazine - September/October 2016 - 37
IEEE Power & Energy Magazine - September/October 2016 - 38
IEEE Power & Energy Magazine - September/October 2016 - 39
IEEE Power & Energy Magazine - September/October 2016 - 40
IEEE Power & Energy Magazine - September/October 2016 - 41
IEEE Power & Energy Magazine - September/October 2016 - 42
IEEE Power & Energy Magazine - September/October 2016 - 43
IEEE Power & Energy Magazine - September/October 2016 - 44
IEEE Power & Energy Magazine - September/October 2016 - 45
IEEE Power & Energy Magazine - September/October 2016 - 46
IEEE Power & Energy Magazine - September/October 2016 - 47
IEEE Power & Energy Magazine - September/October 2016 - 48
IEEE Power & Energy Magazine - September/October 2016 - 49
IEEE Power & Energy Magazine - September/October 2016 - 50
IEEE Power & Energy Magazine - September/October 2016 - 51
IEEE Power & Energy Magazine - September/October 2016 - 52
IEEE Power & Energy Magazine - September/October 2016 - 53
IEEE Power & Energy Magazine - September/October 2016 - 54
IEEE Power & Energy Magazine - September/October 2016 - 55
IEEE Power & Energy Magazine - September/October 2016 - 56
IEEE Power & Energy Magazine - September/October 2016 - 57
IEEE Power & Energy Magazine - September/October 2016 - 58
IEEE Power & Energy Magazine - September/October 2016 - 59
IEEE Power & Energy Magazine - September/October 2016 - 60
IEEE Power & Energy Magazine - September/October 2016 - 61
IEEE Power & Energy Magazine - September/October 2016 - 62
IEEE Power & Energy Magazine - September/October 2016 - 63
IEEE Power & Energy Magazine - September/October 2016 - 64
IEEE Power & Energy Magazine - September/October 2016 - 65
IEEE Power & Energy Magazine - September/October 2016 - 66
IEEE Power & Energy Magazine - September/October 2016 - 67
IEEE Power & Energy Magazine - September/October 2016 - 68
IEEE Power & Energy Magazine - September/October 2016 - 69
IEEE Power & Energy Magazine - September/October 2016 - 70
IEEE Power & Energy Magazine - September/October 2016 - 71
IEEE Power & Energy Magazine - September/October 2016 - 72
IEEE Power & Energy Magazine - September/October 2016 - 73
IEEE Power & Energy Magazine - September/October 2016 - 74
IEEE Power & Energy Magazine - September/October 2016 - 75
IEEE Power & Energy Magazine - September/October 2016 - 76
IEEE Power & Energy Magazine - September/October 2016 - 77
IEEE Power & Energy Magazine - September/October 2016 - 78
IEEE Power & Energy Magazine - September/October 2016 - 79
IEEE Power & Energy Magazine - September/October 2016 - 80
IEEE Power & Energy Magazine - September/October 2016 - 81
IEEE Power & Energy Magazine - September/October 2016 - 82
IEEE Power & Energy Magazine - September/October 2016 - 83
IEEE Power & Energy Magazine - September/October 2016 - 84
IEEE Power & Energy Magazine - September/October 2016 - 85
IEEE Power & Energy Magazine - September/October 2016 - 86
IEEE Power & Energy Magazine - September/October 2016 - 87
IEEE Power & Energy Magazine - September/October 2016 - 88
IEEE Power & Energy Magazine - September/October 2016 - 89
IEEE Power & Energy Magazine - September/October 2016 - 90
IEEE Power & Energy Magazine - September/October 2016 - 91
IEEE Power & Energy Magazine - September/October 2016 - 92
IEEE Power & Energy Magazine - September/October 2016 - Cover3
IEEE Power & Energy Magazine - September/October 2016 - Cover4
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091020
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070820
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050620
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030420
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010220
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091019
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070819
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050619
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030419
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091018
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070818
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050618
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030418
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091017
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070817
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050617
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030417
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091016
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070816
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050616
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030416
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010216
https://www.nxtbook.com/nxtbooks/ieee/powerenergy_010216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091015
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070815
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050615
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030415
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111214
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091014
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070814
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050614
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030414
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010214
https://www.nxtbookmedia.com