How Industroyer could damage the world's power grids

Security researchers at ESET have uncovered a type of malware that could have caused the 2016 blackout in the Ukrainian capital, Kiev.

In mid-December last year, a cyberattack caused damage to a substation in the northern part of the city, which caused the blackout in that area.

The attack took place exactly one year after the major blackout caused by the malware BlackEnergy that hit many regions across Ukraine in December 2015, leaving 250,000 households without power. That's where the similarities end, though, according to ESET.

ESET has found and analysed samples of an unrelated malware, called Industroyer, that could have caused the type of damage seen in the 2016.

Whereas BlackEnergy attack used legitimate remote access software to control operators' workstations, cutting off power, Industroyer is capable of controlling electricity substation switches and circuit breakers directly. Technically, the potential impact of the of the malware ranges from simply turning off the power supply to cascading failures and serious physical damage to equipment.

Worryingly, the communication protocols it takes advantage of aren't unique to the Ukrainian energy grid, but are in fact used worldwide not just in power supply infrastructure, but also in critical systems like transport, water and gas.

"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," said Anton Cherepanov, senior malware researcher at ESET, in a blog post."The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

"Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."

He added: "While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for 17 December, 2016, the day of the power outage."

Following the disclosure by ESET of its research into Industroyer, Terry Ray, chief product strategist at Imperva, said: "We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

"While these attackers seem to be content to disrupt the system, it's not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves. While ICS [industrial control systems] are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits."

Main image credit: Bigstock

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.