Greetings and welcome back! In this month’s blog, we look at one of the largest cyber attacks of 2016: The Ukrainian Power Plant attack. This destructive incident included a highly targeted Cyber Attack on UPS Uninterruptible Power Supplies in 2 control rooms that supported the plant. There are several excellent online reports of this incident, one by the SANS Group and several by online tech magazines, including this one from Wired.
The Wired Magazine report, in a timeline of the attack shows that 2 UPS units in separate control rooms were reconfigured to schedule them to shutdown at a specific time. This is easily accomplished with most any smaller UPS that is used for network closets and server rooms. Also, as amazing as it may seem, it is relatively straightforward to shutdown a UPS with little effort or security in most systems. That’s because most systems allow SNMP access and, as we have shown in this blog before, even the so-called “secure” SNMPv3 is now easily hackable with off-the-shelf tools. This well-done research report by the Georgia Institute of Technology provides excellent background to these vulnerabilities in SNMPv3.
In addition to SNMP access, most all SNMP cards used in UPS units have open ports for the minimally secured Telnet, FTP and HTTP ports. A hacker of low-skill could easily sniff the traffic on those ports waiting to capture the passwords. But, we have found it all too common that the manufacturer’s default passwords for SNMP cards have never even been changed. That makes entering a UPS as easy as taking candy from a baby. Here is an example of a UPS unit which is fully exposed online and how easy it is to schedule a shutdown of that system:
In the case of the Ukrainian control room UPS units, there was no direct exposure to these systems online. It took a hacker of some degree of skill to enter their network and, once that was done, it was likely a much lesser problem to find the UPS. The hackers then coordinated an attack on the power plant breakers with the timing of the UPS shutdown to cut off all power generation to the outside world and simultaneously to shut down all critical operations of the control rooms related to the power plant. The end result was to leave the power customers in the dark and also to leave the power plant control systems in the dark. It was because of the downed UPS that it took hours to figure out what was happening and how to begin to restore power and operations.
I would now ask any worker or manager in a process, power plant or other control room: Is Your UPS Secured Against A Cyber Attack? RackGuardian was built specifically to protect UPS, PDU and other systems that support data and telecom racks. RackGuardian is a self-contained monitoring and protection system that supports any SNMP-based UPS and PDU units. We encourage anyone who is responsible for ensuring the power in your control rooms to give us a call and we would be happy to discuss your needs privately.
Until Next Time,