SlideShare a Scribd company logo

CPS - Week 1.pptx

Download as PPTX, PDF
S
SantiagoBrito20

Summary of Physical Cyber Attacks

Technology
1 of 21
Week 1 Assignment: Ukraine Power Grid Cyber Attack Andres Brito (1007641) | Li Xinyue (1007389) | Mayukh Borana (1007395) | Suhasini (1007497) Singapore University of Technology and Design 51.503 Secure Software Engineering 1
Contents 1. Introduction a. Facts, dates, characters b. The story of the attack: how and who c. Consequences of the attack 2. Kinematics of Attack a. Thread model 3. Analysis a. Would traditional perimeter defenses mitigate such a threat? b. Missing Defense Approaches 4. Conclusions a. How to detect or prevent another similar attacks b. Takeaways 2
3
Facts, Dates, Characters Date 23 December 2015. Suspected Actor The Sandworm Group. The Ukrainian state security service (SBU) blamed Russia for the attack. Target Ukrainian Energy Company substations. In the case of the Prykarpattyaoblenergo substation, hackers successfully brought the network offline. Target System Microsoft Windows-based systems. Purpose The hackers intended to test a remote cyber operation directed against Ukraine’s critical energy infrastructure. 4
Facts, Dates, Characters cont. Method - The first part of the attack is believed to harness an updated version of the BlackEnergy malware. - The malicious code was sent through emails with malicious attachments, targeting specific individuals within the different energy companies in order to retrieve administrator credentials and gain access to the energy substation networks. - During the second part of the attack, the actors activated a KillDisk destructive malware, which was able to wipe parts of computers’ hard drives and prevent the systems from rebooting, ultimately leading to the power outages. - Eventually, the hackers launched a TDoS attack (telephony denial of service) directed against the customers call center, preventing the callers from reporting the outage. 5
The story of the attack - How Stage 1: Spear Phishing ● In March 2015, malicious actors used spear phishing to compromise hosts that would allow them access to target networks. ● Emails sent contained a Microsoft Excel spreadsheet or Microsoft Word document. Opening and enabling them led to the installation of the BlackEnergy3 malware on that computer. ● Multiple users were compromised. Stage 2: Malware Used to Explore and Move in Network ● With the malware, reconnaissance and enumeration of the compromised network occurred for months. ● In April 2015, malicious actors installed additional backdoor malware on the compromised machines. Stage 3: Credentials Obtained ● The Active Directory server was one of the compromised computers, possibly leading to a brute force attacks on the passwords stored there. 6
The story of the attack - How (cont.) Stage 5: Compromise and Reconnaissance of HMI Computers ● Access to one of the computers provided credentials for remote access to the HMI application, which in turn allowed the hackers to interact remotely with the control system. Stage 6: Manipulate Circuit Breakers ● The hackers opened the breakers, took control of the computers at a control center and remotely shutdown the substation. ● An employee at the center tried to take control of the computer but he was unsuccessful as he was logged out of his account by the hackers who changed his password. Stage 4: Virtual Private Network Tunnel Created ● With the credentials obtained (username/password), the hackers used an encryption tunnel (VPN) to establish a presence on the networks. ● Standard remote access tools were used to gain access to the control system network HMIs. 7
The story of the attack - How (cont.) Stage 7: Additional Attack Actions ● Telephony Denial-of-service: A TDoS attack was launched against customers to prevent them from calling to report the outage. ● UPS Remote Access and Shutdown: Shortly before the attack began, the hackers used UPS remote management interfaces to schedule a shutdown of the UPSs for the computer servers. This was done to interfere with incident response and restoration efforts. Stage 8: Execute KillDisk on Target Computers ● The KillDisk malware was used to erases selected files on target systems and corrupts the master boot record, which renders the systems inoperable. Social Engineering Gained entry to the network + Spear Phishing Key factors that caused the attack to happen 8
The story of the attack - Who Alleged Russian Cybermilitary unit with the purpose of cyberespionage and cyberwarfare Attributed with using BlackEnergy targeted attacks. BlackEnergy3 is a tool used by Sandworm for cyber espionage in the Ukraine power grid attack Responsible for the December 2015 Ukraine power grid attack. 9
Consequences of the attack ● It is considered to be the first known successful cyberattack on a power grid. ● Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers. ● Most affected were consumers of Prykarpattyaoblenergo: The attack resulted in power outages for 30 substations were switched off, and about 230 thousand people were left without electricity for a period from 1 to 6 hours. 10
Consequences of the attack cont. ● The malware disconnected electrical substations, causing the blackout. ● To restore the normal activity of the substations manual intervention by on-site operators was necessary, including switching the dispatch control center from “automatic to manual mode”, as the hackers had infected the SCADA’s manufacturer firmware. ● However, once restored, the impacted infrastructures kept on functioning under constrained operations. ● According to the CISO at security company SentinelOne, this group had very good intelligence as they knew how to engineer the highest probability that someone will click a malicious link and activate the BlackEnergy malware - in most attacks, it is the human factor that leads to the infiltration. 11
Kinematics of the cyberattack Step 1: Malware in the mail! (BlackEnergy) ● The malware used in the Ukraine power grid attack in 2015 was called "BlackEnergy." It was a malicious software that was specifically designed to target industrial control systems (ICS) and was used to disrupt the power grid in Ukraine. ● BlackEnergy was delivered through a spear-phishing email that contained a malicious attachment, which when opened, installed the malware on the target's computer. The malware was capable of compromising and controlling the systems that were responsible for controlling the power grid, causing widespread power outages in Ukraine. ● BlackEnergy was a sophisticated malware that was well-designed to hide its presence and avoid detection. It used a variety of techniques, such as code obfuscation, rootkit functionality, and encrypted communication, to evade security systems and hide its presence on the infected system. ● The attack on the Ukraine power grid was a significant event in the world of cyber security, as it was one of the first instances of a successful attack on a critical infrastructure that resulted in widespread power outages. The incident highlighted the importance of securing industrial control systems and the need for better security measures to protect against similar attacks in the future. 12
● The diagram is a simplified view of the network architectures (i.e., Internet, IT, OT) and will help depict each step of the cyberattack. ● The hacker is shown as the "black hat guy" at the top right side. ● The hacker used the utility's IT connection to the Internet as the channel to prepare and eventually trigger the cyberattack. 13
Step 2: Attack preparation, network scans, and advanced persistent threat (APT) ● The BlackEnergy malware was remotely controlled to collect data, hop from one host to another, detect vulnerabilities, and even make its way onto the OT network and perform similar "reconnaissance" activities. ● Forensic data analysis about this phase is incomplete, because the hacker did some cleaning up and wiped out several disks during the actual attack. Nevertheless, prior analysis of BlackEnergy, as well as reasonable considerations about the standard process used for cyberattacks, makes the following reconstitution probable with reasonable confidence. 14
Step 3: Triggering the cyberattack ● In the afternoon two days before Christmas, as stated by an operator, the mouse moved on the human-machine interface (HMI) and started switching off breakers remotely. ● When the local operator attempted to regain control of the supervision interface, he was logged off and could not log in again, because the password had been changed. ● The whole attack only lasted for a couple of minutes. The hacker used the preinstalled malware to remotely take control of the HMI and switch off most of the switchgears of the grids. Additional malware, in particular the custom-developed exploit, was used to prevent the operator from regaining control of the network by wiping out many disks (using KillDisk) and overwriting the Ethernet-to-serial gateway firmware with random code, thus turning the devices into unrecoverable pieces of scrap. ● Additional "bonus" activities included performing a distributed denial-of-service attack on the call center, preventing customers from contacting the distributor, and switching off the uninterruptible power supply to shut down the power on the control center itself. ● This step was obviously aimed at switching off the power for hundreds of thousands of western Ukrainian subscribers connected to the grid. However, most of the effort was spent making sure that the power would not be switched on again: all specific malwares were developed with that objective. Once triggered, the only way for the operator to prevent that issue was to stop the attack as it was performed. 15
Would traditional perimeter defenses mitigate such a threat? Even though the network in Ukraine’s distribution centers were segregated with a firewall, the attackers were still able to steal employees’ credentials and gain access to systems controlling the breakers. This shows us that having a firewall as the only security system would not be able to mitigate threats from cyber attacks. Other traditional perimeter defenses such as the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) may be able to mitigate this issue. Even if attackers get past the firewall, they can be detected and stopped by the IPS. If they are able to reach an end-user computer and try to install malware, IPS can detect and remove it with an antivirus. If the firewall had a 2 factor authentication security system, the threat of such an attack could have been mitigated. 16
IDS and IPS Perimeter Defense Systems Intrusion Detection System (IDS) ● A reactive measure. ● It can weed out malware (such as BlackEnergy3 and KillDisk) and detect social engineering (such as spear phishing) assaults that manipulate users into revealing sensitive information (employees’ credentials). Intrusion Prevention System (IPS) ● A proactive approach. ● Drops malicious packets, blocks offending IPs and alerts security personnel to potential threats. It is evident that traditional perimeter defence systems such as IDS, IPS, or firewalls coupled with authentication security systems can mitigate the threat of such attacks but not completely eliminate it. 17
Missing Defense Approaches The absence of the following elements in the Ukraine’s networks allowed the attackers to succeed: 1. Employees’ cyber security awareness. a. Identify suspicious emails and files. 1. An ICS Network securely configured. a. Separate credentials for ICS and Business networks. b. Network Security Monitoring (NSM) → identify new connections and encrypted communications. 1. Better control over remote access functionality. a. Only operator with logging, and automatic signed out. b. Multi-factor authentication. 1. Credentials monitoring. a. Network unusual activities, network traffic. 18
Detection and prevention of a similar attack Detection and prevention of the Ukraine power grid attack in 2015 required a multi-layered approach, involving both technical and non-technical measures. Some of the key measures that could have been used to detect and prevent the attack include: 1. Endpoint security: Installing anti-virus and anti-malware software on all endpoints and keeping them up to date would have helped detect and prevent the delivery of BlackEnergy. 2. Email security: Implementing email filtering and anti-spam measures, as well as training employees on how to identify and avoid phishing emails, would have helped prevent the delivery of the malicious email that carried the malware. 3. Network security: Deploying firewalls, intrusion detection systems, and other network security measures would have helped detect and prevent the spread of the malware within the network. 4. Patch management: Keeping all software and systems up to date with the latest patches and security updates would have helped prevent vulnerabilities from being exploited. 5. Backups and recovery: Regularly backing up critical data and having a robust disaster recovery plan in place would have helped minimize the impact of the attack and enable a faster recovery. 6. Monitoring and logging: Implementing comprehensive monitoring and logging of all systems and network activity would have provided visibility into the attack and helped with incident response and recovery. 7. Physical security: Implementing physical security measures, such as access control and video surveillance, would have helped secure the physical systems and components of the power grid. It's worth noting that cyber attacks are constantly evolving, and there is no single measure that can provide complete protection against them. However, implementing a combination of technical and non-technical measures, and regularly reviewing and updating them, can help reduce the risk of successful attacks and minimize the impact if an attack does occur. 19
Takeaways ● In 2015, Ukrainian Energy Company substations were targeted and successfully taken down by the Sandworm Group. ● This attack was not the result of a single vulnerability, but a handful of small network and design shortcomings. ● From this experience, we learned that effective cyber security must includes people, hardware, software, policies, and procedures, regardless the purpose of the network. ● Events like this one have to be prevented to ensure the security and safety of the population. ● The positive outcome of this attack is the reaction of the energy companies. After this incident, they evaluated their security postures and consider implementing the suggested approaches discussed in this presentation. 20
References Don, J. (n.d.). Lessons learned from a forensic analysis of the Ukrainian Power Grid cyberattack. Lessons Learned From a Forensic Analysis of the Ukrainian Power Grid Cyberattack. Retrieved February 2, 2023, from https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid- cyberattack-malware Intrusion Detection & Prevention: Systems to detect & prevent attacks: Imperva. Learning Center. (2019, December 29). Retrieved February 2, 2023, from https://www.imperva.com/learn/application-security/intrusion-detection-prevention/ Kaspersky Lab, “Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities”, (28 January 2016), Kaspersky. Krigman, A. (2020, October 22). Cyber Autopsy Series: Ukrainian Power Grid Attack Makes History. https://www.globalsign.com/en/blog/cyber- autopsy-series-ukranian-power-grid-attack-makes- history#:~:text=The%20company's%20computer%20and%20SCADA,was%20malware%20known%20as%20BlackEnergy. Mikova, T. (2018). Cyber Attack on Ukraine Power Grid. https://is.muni.cz/th/uok5b/BP_Mikova_final.pdf Vijayan, J. (2022, April 13). Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid. https://www.darkreading.com/attacks- breaches/-russian-group-sandworm-s-attempt-to-disrupt-ukraine-power-grid-foiled Ukraine cyber-induced power outage: Analysis and practical mitigation ... (n.d.). Retrieved February 2, 2023, from https://na.eventscloud.com/file_uploads/aed4bc20e84d2839b83c18bcba7e2876_Owens1.pdf Zetter, Kim (3 March 2016). "Inside the cunning, unprecedented hack of Ukraine's power grid". Wired. San Francisco, California, USA. ISSN 1059- 1028. Archived from the original on 2021-02-08. Retrieved 2021-02-08. Lee, Robert, Michael Assante, and Tim Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid.” Electricity Information Sharing and Analysis Center & SANS Industrial Control Systems, March 18, 2016. http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. 21

Recommended

SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
Eric Favetta
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
Editor IJMTER
 
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docxREADING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
sodhi3
 
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKSPROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
IJSRD
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
*****Dominic A Ienco
 
Critical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack ModelingCritical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack Modeling
Blaz Ivanc
 
CYBER ATTACKS ON INTRUSION DETECTION SYSTEM
CYBER ATTACKS ON INTRUSION DETECTION SYSTEMCYBER ATTACKS ON INTRUSION DETECTION SYSTEM
CYBER ATTACKS ON INTRUSION DETECTION SYSTEM
ijistjournal
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile Networks
IOSR Journals
 

Recommended

SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
Eric Favetta
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
Editor IJMTER
 
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docxREADING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docx
sodhi3
 
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKSPROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
IJSRD
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
*****Dominic A Ienco
 
Critical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack ModelingCritical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack Modeling
Blaz Ivanc
 
CYBER ATTACKS ON INTRUSION DETECTION SYSTEM
CYBER ATTACKS ON INTRUSION DETECTION SYSTEMCYBER ATTACKS ON INTRUSION DETECTION SYSTEM
CYBER ATTACKS ON INTRUSION DETECTION SYSTEM
ijistjournal
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile Networks
IOSR Journals
 
Stuxnets
StuxnetsStuxnets
Stuxnets
Alek Kwek
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
Abdullah Mukhtar ppt
Abdullah Mukhtar pptAbdullah Mukhtar ppt
Abdullah Mukhtar ppt
Abdullah Mukhtar
 
The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)
amar koppal
 
Network-security-ppt.pptx...............
Network-security-ppt.pptx...............Network-security-ppt.pptx...............
Network-security-ppt.pptx...............
AkilSayyad2
 
Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
ijceronline
 
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDSTHE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
iQHub
 
Cyber-security of smart grids
Cyber-security of smart gridsCyber-security of smart grids
Cyber-security of smart grids
Hamza AlBzoor
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 
Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security management
Swati Sinha
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-study
Ian Sommerville
 
fe-cyber-attacks-ukrainian-grid.pdf
fe-cyber-attacks-ukrainian-grid.pdffe-cyber-attacks-ukrainian-grid.pdf
fe-cyber-attacks-ukrainian-grid.pdf
MihirTiwari8
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...
IJECEIAES
 
M0704071074
M0704071074M0704071074
M0704071074
IJERD Editor
 
A Review Paper on Cyber-Security
A Review Paper on Cyber-SecurityA Review Paper on Cyber-Security
A Review Paper on Cyber-Security
IRJET Journal
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
nicfs
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 

More Related Content

Similar to CPS - Week 1.pptx

Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
Abdullah Mukhtar ppt
Abdullah Mukhtar pptAbdullah Mukhtar ppt
Abdullah Mukhtar ppt
Abdullah Mukhtar
 
The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)
amar koppal
 
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDSTHE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
iQHub
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...
IJECEIAES
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 

Similar to CPS - Week 1.pptx (20)

Stuxnets
StuxnetsStuxnets
Stuxnets
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
Abdullah Mukhtar ppt
Abdullah Mukhtar pptAbdullah Mukhtar ppt
Abdullah Mukhtar ppt
 
The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)The use of honeynet to detect exploited systems (basic version)
The use of honeynet to detect exploited systems (basic version)
 
Network-security-ppt.pptx...............
Network-security-ppt.pptx...............Network-security-ppt.pptx...............
Network-security-ppt.pptx...............
 
Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
 
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDSTHE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
 
Cyber-security of smart grids
Cyber-security of smart gridsCyber-security of smart grids
Cyber-security of smart grids
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
 
Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security management
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-study
 
fe-cyber-attacks-ukrainian-grid.pdf
fe-cyber-attacks-ukrainian-grid.pdffe-cyber-attacks-ukrainian-grid.pdf
fe-cyber-attacks-ukrainian-grid.pdf
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...
 
M0704071074
M0704071074M0704071074
M0704071074
 
A Review Paper on Cyber-Security
A Review Paper on Cyber-SecurityA Review Paper on Cyber-Security
A Review Paper on Cyber-Security
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

CPS - Week 1.pptx

  • 1. Week 1 Assignment: Ukraine Power Grid Cyber Attack Andres Brito (1007641) | Li Xinyue (1007389) | Mayukh Borana (1007395) | Suhasini (1007497) Singapore University of Technology and Design 51.503 Secure Software Engineering 1
  • 2. Contents 1. Introduction a. Facts, dates, characters b. The story of the attack: how and who c. Consequences of the attack 2. Kinematics of Attack a. Thread model 3. Analysis a. Would traditional perimeter defenses mitigate such a threat? b. Missing Defense Approaches 4. Conclusions a. How to detect or prevent another similar attacks b. Takeaways 2
  • 3. 3
  • 4. Facts, Dates, Characters Date 23 December 2015. Suspected Actor The Sandworm Group. The Ukrainian state security service (SBU) blamed Russia for the attack. Target Ukrainian Energy Company substations. In the case of the Prykarpattyaoblenergo substation, hackers successfully brought the network offline. Target System Microsoft Windows-based systems. Purpose The hackers intended to test a remote cyber operation directed against Ukraine’s critical energy infrastructure. 4
  • 5. Facts, Dates, Characters cont. Method - The first part of the attack is believed to harness an updated version of the BlackEnergy malware. - The malicious code was sent through emails with malicious attachments, targeting specific individuals within the different energy companies in order to retrieve administrator credentials and gain access to the energy substation networks. - During the second part of the attack, the actors activated a KillDisk destructive malware, which was able to wipe parts of computers’ hard drives and prevent the systems from rebooting, ultimately leading to the power outages. - Eventually, the hackers launched a TDoS attack (telephony denial of service) directed against the customers call center, preventing the callers from reporting the outage. 5
  • 6. The story of the attack - How Stage 1: Spear Phishing ● In March 2015, malicious actors used spear phishing to compromise hosts that would allow them access to target networks. ● Emails sent contained a Microsoft Excel spreadsheet or Microsoft Word document. Opening and enabling them led to the installation of the BlackEnergy3 malware on that computer. ● Multiple users were compromised. Stage 2: Malware Used to Explore and Move in Network ● With the malware, reconnaissance and enumeration of the compromised network occurred for months. ● In April 2015, malicious actors installed additional backdoor malware on the compromised machines. Stage 3: Credentials Obtained ● The Active Directory server was one of the compromised computers, possibly leading to a brute force attacks on the passwords stored there. 6
  • 7. The story of the attack - How (cont.) Stage 5: Compromise and Reconnaissance of HMI Computers ● Access to one of the computers provided credentials for remote access to the HMI application, which in turn allowed the hackers to interact remotely with the control system. Stage 6: Manipulate Circuit Breakers ● The hackers opened the breakers, took control of the computers at a control center and remotely shutdown the substation. ● An employee at the center tried to take control of the computer but he was unsuccessful as he was logged out of his account by the hackers who changed his password. Stage 4: Virtual Private Network Tunnel Created ● With the credentials obtained (username/password), the hackers used an encryption tunnel (VPN) to establish a presence on the networks. ● Standard remote access tools were used to gain access to the control system network HMIs. 7
  • 8. The story of the attack - How (cont.) Stage 7: Additional Attack Actions ● Telephony Denial-of-service: A TDoS attack was launched against customers to prevent them from calling to report the outage. ● UPS Remote Access and Shutdown: Shortly before the attack began, the hackers used UPS remote management interfaces to schedule a shutdown of the UPSs for the computer servers. This was done to interfere with incident response and restoration efforts. Stage 8: Execute KillDisk on Target Computers ● The KillDisk malware was used to erases selected files on target systems and corrupts the master boot record, which renders the systems inoperable. Social Engineering Gained entry to the network + Spear Phishing Key factors that caused the attack to happen 8
  • 9. The story of the attack - Who Alleged Russian Cybermilitary unit with the purpose of cyberespionage and cyberwarfare Attributed with using BlackEnergy targeted attacks. BlackEnergy3 is a tool used by Sandworm for cyber espionage in the Ukraine power grid attack Responsible for the December 2015 Ukraine power grid attack. 9
  • 10. Consequences of the attack ● It is considered to be the first known successful cyberattack on a power grid. ● Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers. ● Most affected were consumers of Prykarpattyaoblenergo: The attack resulted in power outages for 30 substations were switched off, and about 230 thousand people were left without electricity for a period from 1 to 6 hours. 10
  • 11. Consequences of the attack cont. ● The malware disconnected electrical substations, causing the blackout. ● To restore the normal activity of the substations manual intervention by on-site operators was necessary, including switching the dispatch control center from “automatic to manual mode”, as the hackers had infected the SCADA’s manufacturer firmware. ● However, once restored, the impacted infrastructures kept on functioning under constrained operations. ● According to the CISO at security company SentinelOne, this group had very good intelligence as they knew how to engineer the highest probability that someone will click a malicious link and activate the BlackEnergy malware - in most attacks, it is the human factor that leads to the infiltration. 11
  • 12. Kinematics of the cyberattack Step 1: Malware in the mail! (BlackEnergy) ● The malware used in the Ukraine power grid attack in 2015 was called "BlackEnergy." It was a malicious software that was specifically designed to target industrial control systems (ICS) and was used to disrupt the power grid in Ukraine. ● BlackEnergy was delivered through a spear-phishing email that contained a malicious attachment, which when opened, installed the malware on the target's computer. The malware was capable of compromising and controlling the systems that were responsible for controlling the power grid, causing widespread power outages in Ukraine. ● BlackEnergy was a sophisticated malware that was well-designed to hide its presence and avoid detection. It used a variety of techniques, such as code obfuscation, rootkit functionality, and encrypted communication, to evade security systems and hide its presence on the infected system. ● The attack on the Ukraine power grid was a significant event in the world of cyber security, as it was one of the first instances of a successful attack on a critical infrastructure that resulted in widespread power outages. The incident highlighted the importance of securing industrial control systems and the need for better security measures to protect against similar attacks in the future. 12
  • 13. ● The diagram is a simplified view of the network architectures (i.e., Internet, IT, OT) and will help depict each step of the cyberattack. ● The hacker is shown as the "black hat guy" at the top right side. ● The hacker used the utility's IT connection to the Internet as the channel to prepare and eventually trigger the cyberattack. 13
  • 14. Step 2: Attack preparation, network scans, and advanced persistent threat (APT) ● The BlackEnergy malware was remotely controlled to collect data, hop from one host to another, detect vulnerabilities, and even make its way onto the OT network and perform similar "reconnaissance" activities. ● Forensic data analysis about this phase is incomplete, because the hacker did some cleaning up and wiped out several disks during the actual attack. Nevertheless, prior analysis of BlackEnergy, as well as reasonable considerations about the standard process used for cyberattacks, makes the following reconstitution probable with reasonable confidence. 14
  • 15. Step 3: Triggering the cyberattack ● In the afternoon two days before Christmas, as stated by an operator, the mouse moved on the human-machine interface (HMI) and started switching off breakers remotely. ● When the local operator attempted to regain control of the supervision interface, he was logged off and could not log in again, because the password had been changed. ● The whole attack only lasted for a couple of minutes. The hacker used the preinstalled malware to remotely take control of the HMI and switch off most of the switchgears of the grids. Additional malware, in particular the custom-developed exploit, was used to prevent the operator from regaining control of the network by wiping out many disks (using KillDisk) and overwriting the Ethernet-to-serial gateway firmware with random code, thus turning the devices into unrecoverable pieces of scrap. ● Additional "bonus" activities included performing a distributed denial-of-service attack on the call center, preventing customers from contacting the distributor, and switching off the uninterruptible power supply to shut down the power on the control center itself. ● This step was obviously aimed at switching off the power for hundreds of thousands of western Ukrainian subscribers connected to the grid. However, most of the effort was spent making sure that the power would not be switched on again: all specific malwares were developed with that objective. Once triggered, the only way for the operator to prevent that issue was to stop the attack as it was performed. 15
  • 16. Would traditional perimeter defenses mitigate such a threat? Even though the network in Ukraine’s distribution centers were segregated with a firewall, the attackers were still able to steal employees’ credentials and gain access to systems controlling the breakers. This shows us that having a firewall as the only security system would not be able to mitigate threats from cyber attacks. Other traditional perimeter defenses such as the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) may be able to mitigate this issue. Even if attackers get past the firewall, they can be detected and stopped by the IPS. If they are able to reach an end-user computer and try to install malware, IPS can detect and remove it with an antivirus. If the firewall had a 2 factor authentication security system, the threat of such an attack could have been mitigated. 16
  • 17. IDS and IPS Perimeter Defense Systems Intrusion Detection System (IDS) ● A reactive measure. ● It can weed out malware (such as BlackEnergy3 and KillDisk) and detect social engineering (such as spear phishing) assaults that manipulate users into revealing sensitive information (employees’ credentials). Intrusion Prevention System (IPS) ● A proactive approach. ● Drops malicious packets, blocks offending IPs and alerts security personnel to potential threats. It is evident that traditional perimeter defence systems such as IDS, IPS, or firewalls coupled with authentication security systems can mitigate the threat of such attacks but not completely eliminate it. 17
  • 18. Missing Defense Approaches The absence of the following elements in the Ukraine’s networks allowed the attackers to succeed: 1. Employees’ cyber security awareness. a. Identify suspicious emails and files. 1. An ICS Network securely configured. a. Separate credentials for ICS and Business networks. b. Network Security Monitoring (NSM) → identify new connections and encrypted communications. 1. Better control over remote access functionality. a. Only operator with logging, and automatic signed out. b. Multi-factor authentication. 1. Credentials monitoring. a. Network unusual activities, network traffic. 18
  • 19. Detection and prevention of a similar attack Detection and prevention of the Ukraine power grid attack in 2015 required a multi-layered approach, involving both technical and non-technical measures. Some of the key measures that could have been used to detect and prevent the attack include: 1. Endpoint security: Installing anti-virus and anti-malware software on all endpoints and keeping them up to date would have helped detect and prevent the delivery of BlackEnergy. 2. Email security: Implementing email filtering and anti-spam measures, as well as training employees on how to identify and avoid phishing emails, would have helped prevent the delivery of the malicious email that carried the malware. 3. Network security: Deploying firewalls, intrusion detection systems, and other network security measures would have helped detect and prevent the spread of the malware within the network. 4. Patch management: Keeping all software and systems up to date with the latest patches and security updates would have helped prevent vulnerabilities from being exploited. 5. Backups and recovery: Regularly backing up critical data and having a robust disaster recovery plan in place would have helped minimize the impact of the attack and enable a faster recovery. 6. Monitoring and logging: Implementing comprehensive monitoring and logging of all systems and network activity would have provided visibility into the attack and helped with incident response and recovery. 7. Physical security: Implementing physical security measures, such as access control and video surveillance, would have helped secure the physical systems and components of the power grid. It's worth noting that cyber attacks are constantly evolving, and there is no single measure that can provide complete protection against them. However, implementing a combination of technical and non-technical measures, and regularly reviewing and updating them, can help reduce the risk of successful attacks and minimize the impact if an attack does occur. 19
  • 20. Takeaways ● In 2015, Ukrainian Energy Company substations were targeted and successfully taken down by the Sandworm Group. ● This attack was not the result of a single vulnerability, but a handful of small network and design shortcomings. ● From this experience, we learned that effective cyber security must includes people, hardware, software, policies, and procedures, regardless the purpose of the network. ● Events like this one have to be prevented to ensure the security and safety of the population. ● The positive outcome of this attack is the reaction of the energy companies. After this incident, they evaluated their security postures and consider implementing the suggested approaches discussed in this presentation. 20
  • 21. References Don, J. (n.d.). Lessons learned from a forensic analysis of the Ukrainian Power Grid cyberattack. Lessons Learned From a Forensic Analysis of the Ukrainian Power Grid Cyberattack. Retrieved February 2, 2023, from https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid- cyberattack-malware Intrusion Detection & Prevention: Systems to detect & prevent attacks: Imperva. Learning Center. (2019, December 29). Retrieved February 2, 2023, from https://www.imperva.com/learn/application-security/intrusion-detection-prevention/ Kaspersky Lab, “Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities”, (28 January 2016), Kaspersky. Krigman, A. (2020, October 22). Cyber Autopsy Series: Ukrainian Power Grid Attack Makes History. https://www.globalsign.com/en/blog/cyber- autopsy-series-ukranian-power-grid-attack-makes- history#:~:text=The%20company's%20computer%20and%20SCADA,was%20malware%20known%20as%20BlackEnergy. Mikova, T. (2018). Cyber Attack on Ukraine Power Grid. https://is.muni.cz/th/uok5b/BP_Mikova_final.pdf Vijayan, J. (2022, April 13). Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid. https://www.darkreading.com/attacks- breaches/-russian-group-sandworm-s-attempt-to-disrupt-ukraine-power-grid-foiled Ukraine cyber-induced power outage: Analysis and practical mitigation ... (n.d.). Retrieved February 2, 2023, from https://na.eventscloud.com/file_uploads/aed4bc20e84d2839b83c18bcba7e2876_Owens1.pdf Zetter, Kim (3 March 2016). "Inside the cunning, unprecedented hack of Ukraine's power grid". Wired. San Francisco, California, USA. ISSN 1059- 1028. Archived from the original on 2021-02-08. Retrieved 2021-02-08. Lee, Robert, Michael Assante, and Tim Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid.” Electricity Information Sharing and Analysis Center & SANS Industrial Control Systems, March 18, 2016. http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. 21