Newspaper article The Christian Science Monitor

Hard Lessons Emerge from Cyberattack on Ukraine's Power Grid

Newspaper article The Christian Science Monitor

Hard Lessons Emerge from Cyberattack on Ukraine's Power Grid

Article excerpt

A cyberattack linked to a December blackout in Ukraine signals new dangers for critical infrastructure operators such as power suppliers and other utilities, experts said Monday.

The fact is that many supervisory control and data acquisition (SCADA) systems - the type compromised in the Ukrainian attacks and utilized at countless other power facilities - aren't designed to be secure against digital attacks, said security researcher Peiter Zatko, also known by his hacker nom de gare Mudge.

"They were designed to be in isolated environments that don't talk with the outside world," said Mr. Zatko. "You didn't want these to be connected to the Internet."

Zatko spoke at an event Monday cosponsored by Passcode and Harvard University's Belfer Center for Science and International Affairs to further explore the Ukraine cyberattack that many experts believe led to power outages for some 80,000 customers in the western region of Ivano-Frankivsk for nearly six hours.

The incident has sent shockwaves throughout the critical infrastructure sector in the US and beyond, and follows recent reports of hackers linked to Iran breaching networks at a dam outside Rye, N.Y., and at the major power supplier Calpine Corp. Renewed concerns about digital threats to the power grid have also led the Pentagon's Defense Advanced Research Projects Agency (DARPA) to devote $77 million to helping utilities defend against and recover from future cyberattacks.

A former security researcher at DARPA, Zatko said that many critical infrastructure companies have simply ignored security patches for industrial networks and that often companies making software for these facilities aren't security conscious enough. "The developers writing the code aren't thinking about security."

It also appears that Ukrainian facilities involved in the attack weren't following industry guidelines that could prevent hackers from gaining access to essential systems. Reuters recently reported that power utilities in Ukraine ignored their own rules regarding "air gaps" - separating critical control systems from the Internet - before December's attack. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.