Összefoglalás.
Minden fejlett ország erősen függ a villamosenergia-rendszerek működésétől, ami az idő előrehaladtával várhatóan növekedni fog. A stabil működést számos faktor befolyásolja, ezek egy része véletlenszerű (pl. időjárás), de az emberi tényező is nagy hatással van a megbízhatóságra. Ebben a cikkben a szándékos károkozás azon speciális eseteivel foglalkozunk, amikor a támadó a rendszert felügyelő és irányító számítógépes rendszeren keresztül befolyásolja károsan a villamosenergia-rendszer alapvető működését. Ehhez áttekintjük a két rendszer összefonódását, megvizsgáljuk az elmúlt nyolc évben Ukrajnában történt ilyen eseteket. A cikkben összegezzük és elemezzük a történéseket, valamint javaslatokat teszünk, hogy mit lehet tenni az ilyen káros események elkerülése érdekében, szem előtt tartva a „megelőzés, észlelés, reagálás” elvét.
Summary.
All developed countries are highly dependent on the operation of electric power systems, and this dependence will probably increase. Many factors influence stable operation, some of which are random (weather or failures of devices and cables); however, human activities also have a significant impact on reliability. In this paper, we deal with special cases of attacks that achieve a detrimental effect on the electric power system by compromising the controlling and monitoring computer systems. To support the reader, we first analyze the key components of the physical and cyber parts of the system to provide an understanding of the intertwining of these domains – it is a cyber-physical system. We further elaborate on how an event can spread from one part to the other through domains. Then, a series of actual examples underlines the importance of this topic, focusing on malicious acts committed with the goal of sabotaging the power system. Thereafter, we analyze cyber-attacks committed during the last eight years in Ukraine. Most of these attacked the Ukrainian electric power system, aiming for blackouts and device destruction. Some of the attacks had severe consequences in other European countries as well. However, some attacks were successfully stopped before any harm was made. After analyzing the events, we conclude that threat actors’ focus shifted from causing short-term blackouts to device destruction and long-term breakdowns. In the last part of our paper, we enumerate mitigation methods for operators. Our enumeration is based on the PreDeCo principle, namely prevention, detection, and correction. In conclusion, the defender must separate its different purpose networks, use strong authentication and authorization, and have proper patch management policies. These techniques must be verified with regular penetration tests. As the Ukrainian examples show, the threat actor sometimes can avoid prevention techniques; thus, good detection is necessary. The detection is based on analyzing the output of intrusion detection systems and detailed logging facilities. The analysis should be done in the security operations center by experts with knowledge of both cyberspace and electric power systems operations. In case of an incident, the security operations center must make corrective steps with the possible help of external experts. The corrective steps include the understanding of the incident, the recovery from the incident, the prevention of future similar incidents, and the digital forensic of the incident.
Angyal I., Arató Gy., Bakos B., Baranya Zs., Bocsok V., Bogáncs T., ... Zámbó M. (2023) Villamosenergetikai ipari felügyeleti rendszerek kiberbiztonsági kézikönyve. Nemzeti Kibervédelmi Intézet. ISBN 978-615-82042-3-1
Béres K. (2022) Pro-ukrainian hacker group claims hacked Rosseti Lenenergo’s SCADA system. CyberThreat. Report
Dai, H., Zhao, S., & Chen, K. (2017) A chaos-oriented prediction and suppression model to enhance the security for cyber physical power systems. Journal of Parallel and Distributed Computing, Vol. 103. pp. 87–95. ISSN 0743-7315. https://doi.org/10.1016/j.jpdc.2016.11.015
Demony, C. (2022) Vodafone Portugal hit by hackers, says no client data breach. https://www.reuters.com/technology/vodafone-portugal-hit-by-hackers-says-no-client-data-breach-2022-02-08/ [Letöltve: 2023. 10. 30.]
Dragos Inc. (2022) CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS). https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/ [Letöltve: 2023. 10. 12.]
Drügemöller, L. (2022) Erpressung aus dem Cyberraum. https://taz.de/Cyber-Attacken-auf-Windenergiebranche/!5848854/ [Letöltve: 2023. 10. 12.]
ESET (2022) Industroyer2: Industroyer reloaded. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ [Letöltve: 2023. 10. 12.]
Görgey P. (2020a) Kibertámadások Ukrajnában: áramszünetek és tanulságok. Elektrotechnika, Vol. 110. No. 11. pp. 22–24. https://www.mee.hu/files/files/et2020-11.pdf [Letöltve: 2023. 10. 12.]
Görgey P. (2020b) Kibertámadások Ukrajnában: áramszünetek és tanulságok. (II. rész) Elektrotechnika, Vol. 110. No. 11. pp. 22–24. https:// www.mee.hu/files/files/et2020-11.pdf [Letöltve: 2023. 10. 12.]
Görgey P. (2023) Az ukrán villamosenergia-rendszer átmenetileg két részre szakadhatott. CyberThreat.Report. https://www.cyberthreat.report/az-ukran-villamosenergia-rendszer-atmenetileg-ket-reszre-szakadhatott/ [Letöltve: 2023. 10. 12.]
Greenberg, A. (2022) Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine. WIRED. https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru/ [Letöltve: 2023. 10. 12.]
Greig, J. (2022) Viasat confirms report of wiper malware used in Ukraine cyberattack. The Record. https://therecord.media/viasat-confirms-report-of-wiper-malware-used-in-ukraine-cyberattack [Letöltve: 2023. 10. 12.]
IBM (2023) What is the Log4j vulnerability? https://www.ibm.com/topics/log4j [Letöltve: 2023. 10. 30.]
ISA (2007) ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts, and Models, International Society of Automation. https://www.isa.org/products/isa-62443-1-1-2007-security-for-industrial-automat [Letöltve: 2023. 10. 30.]
Kapellmann, Z., Leong, D., Leong, R., Sistrunk, C., Proska, K., Hildebrant, C., Lunden K., & Brubaker, B. (2022) INDUSTROYER.V2: Old Malware Learns New Tricks. Mandiant. https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks [Letöltve: 2023. 10. 12.]
Kostin, A. (2023) Пресконференція Андрія Костіна про роботу прокуратури за рік повномасштабної агресії РФ (Andriy Kostin’s press conference on the work of the prosecutor’s office during the year of full-scale aggression by the Russian Federation). https://www.gp.gov.ua/ua/posts/preskonferenciya-andriya-kostina-pro-roboti-prokuraturi-za-rik-povnomasstabnoyi-agresiyi-rf [Letöltve: 2023. 10. 12.]
Lee, R. M., Assante, M. J., & Conway, T. (2016) Analysis of the Cyber Attack on the Ukrainian Power Grid. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf [Letöltve: 2023. 10. 12.]
Lipovsky, R. (2016) New wave of cyberattacks against Ukrainian power industry. ESET spol s.r.o. https://www.welivesecurity.com/en/company/contact-us/ [Letöltve: 2023. 10. 12.]
Mandiant (2021) M-Trends 2021, Fireeye Mandiant Special Report. https://services.google.com/fh/files/misc/m-trends-report-2021-en.pdf [Letöltve: 2023. 10. 28.]
McDonald, G., O Murchu, L., Doherty, S., & Chien, E. (2013) Stuxnet 0.5: The Missing Link. https://docs.broadcom.com/doc/stuxnet-missing-link-13-en [Letöltve: 2023. 10. 30.]
Moyer, M. (2011) Expert: A Virus Caused the Blackout of 2003. Will the Next One Be Intentional?. https://blogs.scientificamerican.com/observations/expert-a-virus-caused-the-blackout-of-2003-will-the-next-one-be-intentional/ [Letöltve: 2023. 10. 30.]
Osborne, C. (2011) Energy company EDP confirms cyberattack, Ragnar Locker ransomware blamed. https://www.zdnet.com/article/edp-energy-confirms-cyberattack-ragnar-locker-ransomware-blamed/ [Letöltve: 2023. 10. 30.]
Security (2023) Energy sector faces 39% of critical infrastructure attacks Security. https://www.securitymagazine.com/articles/99915-energy-sector-faces-39-of-critical-infrastructure [Letöltve: 2023. 10. 12.]
Siemens (2018) Siemens SIPROTEC Denial-of-Service Vulnerability. https://www.cisa.gov/news-events/ics-advisories/icsa-15-202-01 [Letöltve: 2023. 10. 12.]
Slowik, J. (2019) CRASHOVERRIDE: Reassessing the 2016 Ukraine. Electric Power Event as a Protection-Focused Attack. Dragos Inc.
SolarWinds (2021) SolarWinds Security FAQ. https://www.solarwinds.com/sa-overview/securityadvisory/faq [Letöltve: 2023. 10. 30.]
Styczynski J., & Beach-Westmoreland, N. (2019) When the Lights Went Out. Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure. Booz Allen Hamilton Inc. https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf [Letöltve: 2023. 10. 12.]
Turton, W., Mehrotra, K. (2021) Hackers Breached Colonial Pipeline Using Compromised Password. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password [Letöltve: 2023. 10. 30.]
Williams, B. (2017) Hackers’ methods feel familiar in Ukraine power grid cyberattack. https://www.c4isrnet.com/home/2017/01/29/how-a-power-grid-got-hacked/ [Letöltve: 2023. 10. 12.]
Wright, R. (2022) Industroyer2: How Ukraine avoided another blackout attack. TechTarget. https://www.techtarget.com/searchsecurity/news/252523694/Industroyer2-How-Ukraine-avoided-another-blackout-attack [Letöltve: 2023. 10. 12.]
Xu, L., Guo, Q., Sheng, Y., Muyeen, S.M., & Sun, H. (2021) On the resilience of modern power systems: A comprehensive review from the cyber-physical perspective. Renewable and Sustainable Energy Reviews, Vol. 152. ISSN 1364-0321, https://doi.org/10.1016/j.rser.2021.111642
Xu, L., & Guo, Q. (2023) Integrated Modelling, Analysis and Optimization for Cyber-Physical Power Systems Considering the Impacts of Communication Networks. Cigré Science & Engineering, Vol. 28. pp. 160–181. ISSN 2426-1335