SAN FRANCISCO — A new malware variant capable of knocking out networks that run power grids around the globe has been discovered by a computer security company studying an attack on the Ukrainian power grid.
The malicious code is capable of directly controlling electricity substation switches and circuit breakers and could potentially be used to turn off power distribution or to physically damage equipment used in the electricity distribution grid, researchers at ESET wrote in a paper posted Monday.
U.S. power providers are “properly alarmed,” especially at the sophistication of the program, said Sue Kelly, president and CEO of the American Public Power Association.
"We are going up a level in the video game here,” she said. The organization and the power companies it serves are working with national and international organizations and the U.S. government to analyze the malware and the threat it might pose.
Automatic malware that attacks the electric grid is "a big deal," said Mark Weatherford, chief cybersecurity strategist at the security firm vArmour.
The danger of the malware is that it can automatically trip the breakers within a power system that keep the electrical lines from being overloaded. If one breaker is tripped, the load is shipped to another portion of the power grid. If enough are tripped, in the right places, it’s possible to create a cascading effect that will eventually overload the entire system, said Weatherford, who was formerly the chief security officer at the North American Electric Reliability Corporation, the regulatory authority for North American utilities.
“In some cases, it could then take days to restart all the plants,” he said.
Two things stand out about the malware, dubbed "Industroyer" by the researchers — it's an order of magnitude easier to use than previous programs and it wasn't actually deployed to do any real damage, meaning whoever's behind the December attack might simply have been testing the waters.
Industrial control networks of the type used in power systems use communications protocols that are much less secure than the kinds of computer networks used by banks, retailers and businesses.
"They were developed years ago, without security in mind. They weren't designed for smart grids or interconnectedness," said Robert Lipovsky, a senior malware researcher with ESET.
The United States has been concerned about possible attacks on the power system for years. President Trump's cybersecurity executive order, signed in May, specifically asks for a report on dangers to the electrical grid, for example.
Industroyer's ease-of-use is so disturbing because industrial systems are still playing security catch-up, said Raheem Beyah at the Georgia Institute of Technology in Atlanta.
“I knew we were going in this direction but I didn’t think it would be this soon,” said Beyah, who teaches a course on infrastructure hacking and protection for graduate computer science students.
Bayah says the software needed to take down an electrical grid no longer requires the resources of a nation to create. Adding a module to the malware is now "something that a strong computer science graduate student could do," he said.
There's no evidence the malware has been deployed in the United States, but the highly sophisticated way it was written means it would be very simple to use here, say experts.
Worldwide there are close to 50 power control system protocols, but Industroyer's modular system makes it easy to build a module aimed at a specific one and add it to the framework.
For example, the malware contained a module to attack IEC61850, the substation automation program used in Ukraine and common in many European electrical systems.
In the United States, the DNP3 program is more commonly used. Given the modular nature of the malware it would be extremely easy to add a module that targeted the U.S.-protocol, said Galina Antova, co-founder of Claroty, a company that provides industrial control security.
“It’s basically plug-and-play,” she said.
The code is “extremely alarming” because it could too easily be deployed against U.S. electric transmission and distribution systems to devastating effect, said Robert Lee, the CEO and founder of Dragos, an industrial control security company that also analyzed it.
The creators of the malware aren't known, though several working in cybersecurity have pointed a finger at Russia or entities working for Russia, both because of the Russian-backed rebellion currently fighting in Ukraine and because it is known to have extensive cyber capabilities.
ESET researchers were investigating a cyberattack on Ukraine's electrical system that took place on Dec. 17. The attack occurred at midnight and switched off just one substation, knocking out power to a small area provided power to a small area of the capital Kiev. It came about a year after an earlier cyber attack, which used different malware to knock out power to some 230,000 in Kiev.
During the research, ESET came across the Industroyer malware. The malware discovered by ESET is capable of performing the same type of attack used in 2016, said the cybersecurity company .
Researchers who follow this field wonder if the Ukraine attack was merely a test or even a threat. The attackers did nothing to hide their attack or what they were doing.
“It’s starting to feel like the Ukraine attacks in 2015 and 2016 were a playground for someone running a proof of concept,” said Antova.
© 2017 USATODAY.COM