Villamos rendszerek kiberbiztonsága az Ukrajnával kapcsolatos történések tükrében

Abstract

Összefoglalás. Minden fejlett ország erősen függ a villamosenergia-rendszerek működésétől, ami az idő előrehaladtával várhatóan növekedni fog. A stabil működést számos faktor befolyásolja, ezek egy része véletlenszerű (pl. időjárás), de az emberi tényező is nagy hatással van a megbízhatóságra. Ebben a cikkben a szándékos károkozás azon speciális eseteivel foglalkozunk, amikor a támadó a rendszert felügyelő és irányító számítógépes rendszeren keresztül befolyásolja károsan a villamosenergia-rendszer alapvető működését. Ehhez áttekintjük a két rendszer összefonódását, megvizsgáljuk az elmúlt nyolc évben Ukrajnában történt ilyen eseteket. A cikkben összegezzük és elemezzük a történéseket, valamint javaslatokat teszünk, hogy mit lehet tenni az ilyen káros események elkerülése érdekében, szem előtt tartva a „megelőzés, észlelés, reagálás” elvét. Summary. All developed countries are highly dependent on the operation of electric power systems, and this dependence will probably increase. Many factors influence stable operation, some of which are random (weather or failures of devices and cables); however, human activities also have a significant impact on reliability. In this paper, we deal with special cases of attacks that achieve a detrimental effect on the electric power system by compromising the controlling and monitoring computer systems. To support the reader, we first analyze the key components of the physical and cyber parts of the system to provide an understanding of the intertwining of these domains – it is a cyber-physical system. We further elaborate on how an event can spread from one part to the other through domains. Then, a series of actual examples underlines the importance of this topic, focusing on malicious acts committed with the goal of sabotaging the power system. Thereafter, we analyze cyber-attacks committed during the last eight years in Ukraine. Most of these attacked the Ukrainian electric power system, aiming for blackouts and device destruction. Some of the attacks had severe consequences in other European countries as well. However, some attacks were successfully stopped before any harm was made. After analyzing the events, we conclude that threat actors’ focus shifted from causing short-term blackouts to device destruction and long-term breakdowns. In the last part of our paper, we enumerate mitigation methods for operators. Our enumeration is based on the PreDeCo principle, namely prevention, detection, and correction. In conclusion, the defender must separate its different purpose networks, use strong authentication and authorization, and have proper patch management policies. These techniques must be verified with regular penetration tests. As the Ukrainian examples show, the threat actor sometimes can avoid prevention techniques; thus, good detection is necessary. The detection is based on analyzing the output of intrusion detection systems and detailed logging facilities. The analysis should be done in the security operations center by experts with knowledge of both cyberspace and electric power systems operations. In case of an incident, the security operations center must make corrective steps with the possible help of external experts. The corrective steps include the understanding of the incident, the recovery from the incident, the prevention of future similar incidents, and the digital forensic of the incident.