Cyber-Firefighters Shine in the Darkness
On December 23rd, 2015 the cold, Ukrainian night was aglow with winter lights and decorations. As families closed their eyes to fall asleep and have darkness envelop them, darkness began to spread around western Ukraine; the lights went out. 225, 000 people in western Ukraine suddenly lost all electric power and had no idea as to why.
All at once, 103 cities were “completely blacked out,” and parts of 186 cities were left partially in the dark. During this blackout, many of those affected were unable to report their outage. Mystery added weight to the darkness, as call centers at Prykarpattya Oblenergo and another energy provider, Kyivoblenergo, were blocked from receiving calls from customers. The call centers were inundated with thousands of calls all at once from a cryptic source.
Prykarpattya Oblenergo was forced to send out response teams across western Ukraine to manually switch on all of the power generators which had inexplicably switched off. As the Prykarpattya engineers tried to turn the power back on, they discovered that a virus had erased the computers that the engineers use to monitor equipment during such outages. This left the engineers with no way to turn the lights back on through technical means. The engineers were forced to go “old-school” and travel to each station individually. After a few hours, the engineers reached all of the power stations that service the cities, manually flipped on the switches, and there was light again in western Ukraine. With stories of the turmoil of the crisis in eastern Ukraine reaching the ears of those in the west daily, it was only natural to assume the worst; thoughts like these were not too far off.
Thousands of miles away, a phone rang. An Incident Response Team, the NPPD equivalent of a quick reaction force, prepared to be deployed to assist the Ukrainian government and the power companies in their investigations. Incident Response Teams from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the U.S. Computer Emergency Readiness Team (US-CERT), all of whom are a part of NPPD, stacked up and deployed to Ukraine to assist in the investigation as part of a U.S. inter-agency team.
Incidents like these, while rare, are a perfect example of the work that NPPD carries out in order to keep cyber systems free and defended from hackers. The Department of Homeland Security’s National Protection and Programs Directorate (NPPD) is tasked, among other things, with protecting the United States’ critical infrastructure, like power grids, from cyber-attacks like this.
America is made up of networks and systems, from communicating and traveling to banking and shopping. Like the highways that move us from place to place, electrical grids and the internet are made up of infrastructure; critically important to people and businesses across the world, these infrastructures have earned the moniker “critical infrastructure.” Not unlike how the infrastructure that transports people from place to place is vulnerable to attacks, the infrastructure that moves information is also at risk from terrorist and cyber-attacks or even natural disasters, like hurricanes or floods. NPPD analysts work 24 hours a day, seven days a week, to monitor these critical infrastructures in order to defend against attacks, with their Incident Response Teams being their equivalent of cyber firefighters.
An Incident Response Team, a team of four to six designated experts in the field of cybersecurity, is always packed with the critical equipment needed for any perceivable task, ready to depart at a moment’s notice to fix any cyber crisis. The Incident Response Teams, also casually called “Fly Away Teams” are similar to deployable firefighters- but for computer and information systems. They are not always fighting fires or cyber hacks; other times they’re doing the cybersecurity equivalent of talking to kids, testing smoke alarms, and other proactive activities to prevent fires. NPPD and their various teams and subdivisions travel out to different agencies and private businesses to discuss best practices, plan strategies, and teach them to identify potential distribution vectors for malware in order to protect against it and learn how to notice it. If only Prykarpattya Oblenergo followed the lead of another Ukrainian power company, who completed an industry recognized malware search which detected and removed a very specific malware before anything bad had happened. The malware was called BlackEnergy and is well known in the cyber-security realm.
Cybercriminals have been exploiting the BlackEnergy since at least 2007 through various, edited versions. The attack scenario is a simple one. The target, such as a power company or a corporation, receives a phishing email that contains an attachment with a malicious document, for instance a Word document. Once opened, the target ends up infected with BlackEnergy- showing how one small, inadvertent click on something that looks harmless can cause massive software vulnerabilities.
Prykarpattya Oblenergo was the first electricity failure caused by a computer hack according to the U.S. Department of Homeland Security. It would be ignorant to believe that a hack that shuts down a major power grid could only happen in a country like Ukraine. BlackEnergy has been found to be the culprit in a hack to target NATO and, must worrying for those of us here in the United States, even found on systems used by the United States government and on other critical infrastructure. Luckily, the experts at NPPD and Homeland Security were able to discover the intrusion before the malware had a chance to damage, modify, or otherwise disrupt any of the industrial systems or critical infrastructure in the United States, speaking to the success and importance of those that work at NPPD.
NPPD is a lot like television’s Dr. Gregory House, but focused instead on computer viruses rather than those of the body…and hopefully a lot nicer. They are not concerned about who did the hack; they instead seek out the technical issues and focus on how best to formulate a plan to fix the issue for those who come to them for help. In the past, DHS has warned that BlackEnergy has infected various industrial control systems that make up a substantial portion of the critical infrastructure. With the American energy grid becoming increasingly more automated, any American energy company that falls victim to the same kind of attack as the one in Ukraine would be much more hard pressed to quickly turn back on their power grids by hand.
The above situation speaks to the importance of the Department of Homeland Security’s National Protection and Programs Directorate. From diagnostician like computer analysts, to the firefighter like members of the Fly Away teams, NPPD is uniquely positioned and prepared to protect the United States from attacks on our critical infrastructure.
The investigation has not officially named a culprit in the BlackEnergy cyber-attacks. While the attacks shut down power grids and darkened many people’s night lights, it shone a light on the vulnerabilities of critical infrastructures around the world and in our own country. We wouldn’t feel safe driving on a bridge that had no protection, so why shouldn’t we protect our information highway?