Abstract

On December 23, 2015, a “temporary malfunction of the power supply” in three provinces in Ukraine resulted in power outages that lasted up to six hours and affected 225,000 customers. Following the event, an investigation identified evidence that several regional Ukraine power control systems had been compromised by cyber attacks. This was the first publicly documented successful cyber attack on an electric utility's control system. Both asset owners and government officials around the world now are asking, “What happened and could a similar cyber attack happen in our control systems?” This paper provides an analysis of the Ukraine cyber attack, including how the malicious actors gained access to the control system, what methods the malicious actors used to explore and map the control system, a detailed description of the December 23, 2015 attacks, and methods used by the malicious actors to erase their activities and make remediation more difficult. We then present a detailed description of securing utility power system control systems based on best practices, including control system network design, whitelisting techniques, monitoring and logging, and personnel education. The paper concludes with a discussion of mitigation methods and recommendations that would have protected the Ukraine control system and alerted personnel in advance of the cyber attack.