When Cyber Warfare Gets Real: Ukraine and Israel

400hackersBooks have been written warning of the vulnerability of electrical power systems to skill hacking. Retired newsman Ted Koppel, for example, has written Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (Amazon link). The book was criticized as fear-mongering.

Then a cyberattack took down electric utility service to some 80,000 customer in the Ukraine. The attack was sophisticated and multi-layered. Sometime around December 23, 2015, the malware called BlackEnergy was inserted into Ukraine’s power systems proably through Microsoft office documents. The unknown cough-Russian-cough attackers then used that access to open circuit breakers that cut power. After that, they likely used a wiper utility called KillDisk to thwart recovery efforts by erasing the electric utility’s hard drives and then waged denial-of-service attacks to prevent power company personnel from receiving customer reports of outages.

Pretty bad but, well, Ukraine’s electric grid was probably designed by the Russians, probably isn’t up to date, an might have been more vulnerable.

And the on January 25, 2016, Israel’s Electricity Authority experienced a serious hack attack. Details are a bit sketchy. Energy Minister Yuval Steinitz said, “We had to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should.” Israel is a center of cybersecurity research; its defenses to digital malware are quite sophisticated. The Energy Minister stated the Electric Authority’s response included shutting down portions of Israel’s electricity grid. The energy minister didn’t identify any suspects behind the attack or provide details about how it was carried out. The attack was timed for a period of cold weather in Israel when temperatures were low and demand for electric power was high.

if you think the security systems on all of America’s electric utility systems are as good as Israel’s, you may not understand the sophistication of hacking groups today, especially government-sponsored hacking groups. True, some of America’s systems are so old they aren’t connected to the internet; some are not even automated. But many are. And even a closed system can be compromised by a careless employee with a USB stick. According to rumor, that’s how the U.S. and Israel attacked Iran’s uranium enrichment program.

In 2015 alone, T-Mobile, ScottTrade, Excellus Blue Cross, CVS Pharmacy, the U.S. Office of Personnel Management and, of course, the Internal Revenue Service were all hacked. Anthem, a national health care provider, lost 80 million customer records.

And many of us know well how fragile the U.S. power grid can be; the Northeast Blackout of 1993, a cascading failure traced to a software bug in an alarm system, shut down power to some 55 million people in the Northeastern U.S. and Canada. Alan Kay used to joke that if civil engineering was as pitiful as software engineering, the first woodpecker that came along would take down a skyscraper. Or, WC supposes, a power system.

It’s doubtful that the patchwork of electric utilities across the United States are any better protected than all those hacked companies. Something else to worry about.