- Cyber attack in Ukraine over Christmas 2015 marks the first widely publicised hack of a power station.
- A ‘steady flow’ of publicly disclosed attacks on operational technology has emerged in recent years.
- Many common vulnerabilities are basic security hygiene issues.
In 2009, a virus was unleashed on the computer systems of the Natanz nuclear facility in Iran. Described as ‘the most menacing malware in history’, Stuxnet was designed to sabotage the nation’s uranium enrichment programme. The attack, which lasted for over a year before detection and was reportedly a joint project by US and Israeli forces, managed to destroy almost a fifth of the facility’s centrifuges by causing them to spin out of control.
Many people in the cyber security industry have known since the Stuxnet attack that operational technology (OT) – the computer systems that control everything from power stations to traffic light networks and other critical national infrastructure – can become the target of malicious hackers. However, utilities and other infrastructure firms have not traditionally diverted as many resources to securing those technologies as they have to securing the information on their corporate systems.
Since the now-famous Stuxnet incident was revealed in 2010 we have seen a steady flow of publicly disclosed attacks on operational technology. Last week it was reported that hackers were able to gain control of OT at a Ukrainian power company over the Christmas holiday period, causing a blackout that left 80,000 homes in the affected area without power for several hours.
First power company hack
– but is it the last?
To some, the Ukrainian power utility hack may seem more of an inconvenience than a real threat that individuals and organisations need to be concerned about. However, as this is the first cyber attack we know of that has affected the power supply of a country, it illustrates the potential for these attacks to be used as instruments of war or terrorism. Future attacks need to be monitored to determine if this is the start of a new trend that sees attackers’ motives and targets changing from corporate systems to operational technology.
While it is very hard to pinpoint who actually carried out the attack and what their motives were, Ukrainian state security has said that it looks to be a Russian-based hacking group, later identified by a US cyber intelligence firm as Sandworm. There is no evidence to suggest that Sandworm is state sponsored, however the group has previously been identified as targeting NATO energy firms as well as industrial control systems in the US (prompting an alert from the government), as well as other sensitive systems across Europe.
The virus deployed in the attack, called BlackEnergy, had previously been used against Ukrainian targets such as a media house during local elections.
A cyber attack on an OT environment has the potential for serious and wide-ranging consequences beyond just financial losses and far beyond the confines of the organisation itself. This can include prolonged outages of critical services, environmental damage and even loss of human life.
With the realisation that attackers’ modus operandi is changing, organisations must switch the balance of their focus from corporate systems to addressing the increasing security risks of operational technology. Based on insights from PwC’s global assessment programmes of client OT systems, we’ve observed a number of common vulnerabilities, many of which are basic security hygiene issues.
Gaining a handle on the cyber security of corporate systems such as email, websites and e-commerce systems has long been a priority, however in light of these new incidents it is imperative that organisations swiftly assess and address the security risks of their operational technology at the same time.