Cybercriminals have seemingly left no avenue for cybercrime unexplored. Federal and state governments have been hacked. Protected health information has been stolen. Hospitals have been held hostage by ransomware. Connected cars have been hijacked. In-flight entertainment systems have been overridden. Surveillance cameras have been remotely controlled. Nuclear facilities have had critical equipment compromised. Someone who didn’t know better might think we were on the brink of cyber warfare.
And now, thanks to a group of sophisticated hacker suspected to be Russian, even the electric grid is proven vulnerable to cyberattacks. This means protecting the power grid is no longer a future thinking initiative. It’s today’s problem, and it’s a matter of national security.
Lights out in Ukraine
In what Wired contributor Kim Zetter has called a “cunning, unprecedented hack,” an unidentified group of cyberattackers recently managed to cause power outages in Ukraine. The blackouts took place the day before Christmas Eve, affecting more than 230,000 residents and lasting for up to six hours in some locations. The hackers also managed to disable backup systems of several power distributors. According to CNN, the attack was so effective that even call centers for reporting outages were knocked offline.
“The hackers also managed to disable backup systems.”
In her report, Zetter recounted an employee at one of the affected utility companies watching helplessly as the cursor moved of its own accord across the screen to shut down a substation. He was then kicked off the system. Upon attempting to log back in, he found that his credentials were no longer valid. Hackers had managed to override his account and change his password.
This isn’t the first time that hackers have gone after the electric grid. According to CNN, ISIS has been trying without success for a while now to breach the U.S. power grid. The good news is that they haven’t come even remotely close to being considered a viable threat.
Nevertheless, Congress is taking the possibility of a cyberattack on the grid seriously. The Senate’s current energy reform bill includes provisions that, if passed, would enforce enhanced power grid cybersecurity.
Strong authentication: It’s more serious than you think
So how exactly did hackers manage to pull off this remarkably terrifying cyberattack? The answer is with months of planning and highly coordinated efforts that likely required a lot of resources.
In the shortest possible summary, it’s believed that it all started with a macro malware phishing scam that affected several Ukrainian utility providers. That was followed by months of surveillance and credential gathering, and finally, was executed after the installation of malicious firmware on critical devices in substations.
“For Americans, this is an utterly terrifying wakeup call.”
For Ukrainians, all of this is equally as impressive as it is alarming. But for Americans, this should serve as an utterly terrifying wakeup call.
“The control systems in Ukraine were surprisingly more secure than some in the U.S., since they were well-segmented from the control center business networks with robust firewalls,” Zetter wrote. “But in the end they still weren’t secure enough—workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.”
This is significant for two reasons. First, it suggests that in some parts of the U.S., the electric grid is more vulnerable than in Ukraine, where cybercriminals have already succeeded in causing blackouts.
Secondly, it’s a stark reminder of just how vital strong authentication is to cybersecurity. It’s impossible to say for sure that the attacks would have been less severe if the power distributors had used two-factor authentication. However, as Zetter pointed out, the fact that there was none certainly didn’t help the situation.
The moral of the story here is clear: Utility companies can’t afford to slouch on cybersecurity anymore, and this includes not implementing multifactor authentication.
Next time the lights go out, it might be much closer to home, and the results could be far more catastrophic.