Cyberattack in Ukraine exposes U.S. power grid vulnerabilities

American investigators have concluded a coordinated cyberattack brought down much of Ukraine’s power grid on Dec. 23, leaving 225,000 Ukrainians without power for several hours.

The attack, executed over a period of six months, appears to be the first deliberate attempt to shut down a national electrical grid using cyber warfare, according to The New York Times.

Although Ukrainian officials blamed the Russians, American investigators have not officially named a suspect.

“They could be right,” one senior administration official told the Times, referring to Ukraine’s suspicions about Russia being behind the attack. “But so far we don’t have the complete evidence, and the attackers went to some lengths to hide their tracks.”

Whether Russia or Russian sympathizers were behind the attack, cyber security experts noted its scope was limited to part of the Ukrainian power grid, not the entire country, suggesting the intent may have been to send a political message.

“It was large enough to get everyone’s attention, and small enough not to prompt a major response,” Robert M. Lee of the SANS Institute told the Times.

Homeland security experts are interpreting the cyberattack as both a warning of how an even more sophisticated attack might occur as well as a chance to understand the points of vulnerability in U.S. systems.

“When you see an action that’s this bold, the other side, whoever’s doing it, knows that it’s going to get recognized,” said David Inserra, a homeland and cyber security policy analyst at the Heritage Foundation. “So there’s a certain amount of, ‘look what we can do.’ But at the same time … you never want to give away what capabilities you have.”

The attack on the Ukrainian power grid involved directing malicious software against “industrial control systems,” which are common to all critical infrastructure, such as rail networks, water supplies, chemical factories, and refineries. The attackers effectively disconnected the link between the computers and the circuit breakers, even disabling the computers designed to turn on backup power supplies.

Because the Ukrainian electrical grid relies largely on older technology, engineers could restore power by manually switching the circuit breakers.

“The bad news for the United States is that we can’t do the same thing,” former ABC News anchor Ted Koppel told the Times. Koppel, whose recent book Lights Out details the vulnerability of the U.S. grid, noted American power companies need to precisely balance the amount of electricity generated and the amount used.

“And that can only be done over a system run on the internet,” he said. “The Ukrainians were lucky to have antiquated systems.”

But many cyber security experts believe the biggest vulnerability to U.S. critical infrastructure may not be industrial control systems. Six months prior to the Ukrainian blackout, the attackers gained entry to the grid by sending to the power companies’ offices a series of “spearphishing” emails containing Microsoft Word documents, according to a BBC report. When those documents were opened, they installed malware, allowing the attackers to completely map the Ukrainian system.

“Ultimately, I think the weakest chink in any armor when we talk about cyber … is people,” Inserra told me. “You can build a system which is very, very strong, but if the attackers get hold of credentials that authorize them to access x, y, or z, well then you’ve effectively taken off the armor that we’re trying put on, and it leaves us much more vulnerable.”