Power Grid Malware: Don't Freak Out, But Do PrepareNo Need For Building Bunkers Just Yet, Robert M. Lee Says
Power grids have twice been disrupted by malware. And both times, the outages occurred in Ukraine.
The disruptions, which happened in 2015 and again in 2016, were the focus of a briefing delivered at this week's Black Hat 2017 conference in Las Vegas by researchers from two cybersecurity firms that helped Ukraine investigate the attacks: ESET and Dragos.
The attacks are notable because previously researchers had only ever found three pieces of malware designed to target industrial control systems: Stuxnet, Havex and BlackEnergy2. And the malware recovered from last year's attack - called Industroyer and Crash Override - could be repurposed to disrupt almost any other power grid in the world.
In an audio interview with Information Security Media Group, Robert M. Lee, CEO of Dragos, says it's unlikely that we'll soon see similar attacks targeting power grids in Asia, the Middle East, Europe or North America. But he does expect other groups to learn from this malware and put it to use, going forward.
"I think the nuance here is it's concerning, and it's alarming, it's escalatory from what we've seen, and it deserves strong [condemnation], especially internationally, but it's not to the point yet where people should be freaking out or building bunkers or anything silly like that," Lee says.
In this audio interview (see audio link below photo), Lee also discusses:
- How the tradecraft used by CrashOverride and other industrial control system malware will be absorbed by other attackers and likely appear in other conflicts;
- Why attribution is useful for strategic-level players, but not network-level responders;
- The need to track and understand the various teams that are writing and launching ICS malware.
Lee is an expert in industrial control system and supervisory control and data acquisition - SCADA - control system architecture security. He helped co-found industrial cybersecurity company Dragos, and now serves as its CEO. He's also a certified instructor in active defense, incident response and cyber threat intelligence for SANS Institute; a non-resident national cybersecurity fellow at the non-partisan think tank New America; and an adviser to the Cyber Resilient Energy Delivery Consortium. Lee formerly served as a cyber warfare operations officer in the U.S. Air Force.