How the Industroyer Malware Took the Ukraine Power Grid Offline

Industroyer was the malware responsible for taking the Ukraine electrical grid offline for approximately one hour in 2016.  I have written about cybersecurity and system hacking previously, but this particular attack is unique in multiple ways.

What is Industroyer?

More information has recently come to light about this malware and how it took down the Ukraine grid.  According to Slovakian IT-security company ESET, Industroyer is a malware that is specifically designed to infiltrate power grids. You can read the technical details of the malware here.

In the Ukraine, the malware exploited a specific vulnerability in Siemens SIPROTEC 4 and SIPROTEC devices, triggering a denial of service or DoS attack that blocked the systems’ online connectivity.  This allowed the malware to penetrate the substation’s firewalls and create a backdoor entryway, which it then copied in order to make the entry point more difficult to close.

Using the backdoor, Industroyer compromised the substation’s circui breakers and relays, time-stamping an exact day and time to take the grid offline.  Once that time arrived, it triggered the specific commands necessary to arrest the circuit breakers, take the substation offline, and interrupt the power supply.  Industroyer then deployed a “data wiper” to sniff out and delete files associated with the workstation software used to control relays, and then crashed the entire system.

From an emergency preparedness perspective, this is scary stuff.  Malware can take entire girds offline, forcing an outage situation that is difficult to restore.  And according to the article linked above, the log files from the Ukraine attack suggest that the attack is likely not the last one.

Bottom line: use Industroyer as an example of how to incorporate cyber-attacks into emergency training, exercises and drills, because a “cyber” restoration is clearly its own animal.