Research, ideas, and leadership for a more secure, peaceful world

Press Release
from Belfer Center for Science and International Affairs, Harvard Kennedy School

Cyber Operations Against Ukraine's Grid

Published:

Hard Lessons Emerge from Cyberattack on Ukraine's Power Grid

In December, a portion of the Ukrainian power grid was hit with a cyber attack. The perpetrators wiped data from SCADA systems, disrupted power to tens of thousands of customers, and blinded grid operators with a coordinated denial of service attack against the power company’s phone systems.

Could such an attack happen in the U.S.?

Director Michael Sulmeyer of the Cyber Security Project at the Belfer Center for Science and International Affairs welcomed industry experts Robert Lee, CEO of Dragos Security and former U.S. Air Force Cyber Warfare Operations Officer, and Mudge, founder of the Cyber Independent Testing Laboratory, with previous experience as a DoD official for DARPA and Deputy Director of Google’s Advanced Technology and Projects Division, to get to ground truth on this attack and its implications.

See Video Highlights:

Lee and Mudge noted that while the American grid at large has some impressive resiliency features, many of the individual components are surprisingly fragile. An attack in the U.S. could easily cause isolated failures, though not system-wide grid failure. However, should such a widespread disruption occur, restoring power would be much more difficult due to the complexity of bringing the entire grid back online.

Mudge explained that SCADA systems, the industrial controls behind power grids, were never designed for security. Today, they are so fragile that even patches to increase system security can cause the SCADA components to crash.

Going forward, the panelists agreed that stakeholders need incentives to shift from reactionary “firefighting” to preventive measures. Additionally, both government officials and users need to be empowered to recognize threats and vulnerabilities, as well as to make informed decisions about security products and practices that make systems more reliable and resilient.

While the Ukraine attack only lasted for several hours, it should be seen as a wake-up call for the international community to prevent larger incidents. As Lee stated, “just because the sky isn’t falling it doesn’t mean you don’t need to build a roof.”

Get the latest groundbreaking journalism focused on security and privacy in the Digital Age by subscribing to Passcode, our cyber partner at The Christian Science Monitor.