Experts warn of malware that targets electric grid
A new malware SAN FRANCIS CO variant capable of knocking out networks that run power grids around the globe has been discovered by a computer security company studying an attack on the Ukrainian power grid.
The malicious code is capable of directly controlling electricity substation switches and circuit breakers and could potentially be used to turn off power distribution or to physically damage equipment used in the electricity distribution grid, researchers at ESET wrote in a paper posted Monday.
U.S. power providers are “properly alarmed,” especially at the sophistication of the program, said Sue Kelly, president and CEO of the American Public Power Association.
“We are going up a level in the video game here,” she said. The organization and the power companies it serves are working with national and international organizations and the U.S. government to analyze the malware and the threat it might pose.
Two things stand out about the malware, dubbed “Industroyer” by researchers — it’s an order of magnitude easier to use than previous programs, and it wasn’t actually deployed to do any real damage, meaning whoever is behind the December attack might simply have been testing the waters.
Industrial control networks of the type used in power systems use communications protocols that are much less secure than the kinds of computer networks used by banks, retailers and businesses.
“They were developed years ago, without security in mind. They weren’t designed for smart grids or interconnectedness,” said Robert Lipovsky, a senior malware researcher with ESET.
The United States has been concerned about possible attacks on the power system for years. President Trump’s cybersecurity executive order, signed in May, specifically asks for a report on dangers to the electrical grid, for example.
Industroyer’s ease of use is so disturbing because industrial systems are still playing security catch-up, said Raheem Beyah at the Georgia Institute of Technology in Atlanta.
“I knew we were going in this direction, but I didn’t think it would be this soon,” said Beyah, who teaches a course on infrastructure hacking and protection for graduate computer science students.
Bayah says the software needed to take down an electrical grid no longer requires the resources of a nation to create. Adding a module to the malware is now “something that a strong computer science graduate student could do,” he said.
There’s no evidence the malware has been deployed in the United States, but the highly sophisticated way it was written means it would be very simple to use here, experts say.
Worldwide there are close to 50 power control system protocols, but Industroyer’s modular system makes it easy to build a module aimed at a specific one and add it to the framework.
For example, the malware contained a module to attack IEC61850, the substation automation program used in Ukraine and common in many European electrical systems.
In the United States, the DNP3 program is more commonly used. Given the modular nature of the malware it would be extremely easy to add a module that targeted the U.S.-protocol, said Galina Antova, co-founder of Claroty, a company that provides industrial control security.
“It’s basically plug-and-play,” she said.
Creators of the malware aren’t known, though several people working in cybersecurity have pointed a finger at Russia or entities working for Russia, both because of the Russian-backed rebellion currently fighting in Ukraine and because it is known to have extensive cyber capabilities.
ESET researchers were investigating a cyberattack on Ukraine’s electrical system that took place on Dec. 17. The attack occurred at midnight and switched off just one substation, knocking out power to a small area of the capital Kiev.
It came about a year after an earlier cyber attack, which used different malware to knock out power to some 230,000 in Kiev.
“We are going up a level in the video game here.” Sue Kelly, president and CEO of the American Public Power Association