For a long time computer security experts have warned about the threat hackers pose to the systems that help control the power stations, water treatment plants and transport systems we rely on.
Just before Christmas, that theoretical threat become all too real for more than 225,000 Ukrainians who were plunged into darkness by a sophisticated attack on one of the nation’s power companies.
The attackers struck late in the afternoon on 23 December and used the remote access they had gained to computers in the control centre of power firm Prykarpattyaoblenergo to flip circuit breakers and shut down substations.
In total, about 30 substations were turned off, including those that served one of the control rooms for Prykarpattyaoblenergo, so staff struggling to get the lights back on were forced to find a fix in the dark.
Even now, months after the attack, computer systems at the Ukrainian energy company are not quite fixed because the “Killdisk” malware used in the attack deleted key files.
Uncovering holes
It would have taken significant time and effort to carry out this sophisticated attack, said Stephen Ward, a senior director at security firm iSight Partners, which has analysed the sequence of events leading up to the attack.
The good news is that remotely shutting down power stations or similar infrastructure systems is really hard, he said.
“To make something happen on any of these systems you have to gain information to understand their processes. Those processes are completely different from industry to industry and even facility to facility.
“The basic software may be the same but you have to write the logic to control and create the process and that’s unique to the installation itself,” said Mr Ward.
That was certainly true in Ukraine. Reports into the attack reveal that the hackers behind it spent months inveigling their way into Prykarpattyaoblenergo’s computer systems so their co-ordinated strike would be as effective as possible.
The gang behind the Ukraine attack got in by tricking key staff into opening booby-trapped attachments on email messages crafted to look like they came from friends and colleagues.
Data police
But, said security expert Sergey Gordeychik, there are other ways to get at industrial control systems (ICS).
Mr Gordeychik helps co-ordinate Scada Strangelove – a community of security researchers who seek out ICS systems openly exposed online. Scada (Supervisory Control and Data Acquisition) systems are used to oversee plant and machinery in industrial installations.
“We can discover more than 80,000 different kinds of ICS systems connected to the internet directly,” he told the BBC.
