Compromising vital infrastructure: the power grid

Compromising vital infrastructure: the power grid

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due to faulty backup equipment, it is still famous for the havoc it wreaked throughout the city—including looting and arson—during a time when national morale was already low.

Now imagine something similar happening today. Would it result in the same criminal chaos? My guess is it would depend on the circumstances and how much time it takes to restore power. Let’s hope we never find out.

Power grid hardware

The underlying hardware of the power grid has gone through a lot of improvements since 1977. And so have backup systems and procedures.

In many countries, a power interruption that lasts longer than a given threshold gives the consumer the right to claim damages from the power company. These damages are to be paid by the electricity distributor. The amount of the customer compensation and the threshold can be vary from one country to another, but you can usually look them up on the website of your provider.

This is not to say that it’s impossible to do physical damage if an attacker is determined enough, as the 2013 sniper attack on a California energy grid substation demonstrated.

Recent regulations and improvements have made it rare to experience power outages of more than a few hours in the western world—unless there are special circumstances, such as natural disasters. Tornadoes, hurricanes, earthquakes, erupting volcanoes, flooding, and wildfires can cause power outages, which makes dealing with those disasters even more difficult. Any other power outages are usually restored quickly or covered by backup systems.


We are aware of several malware variants that are used against power supplies, and some of them can be held responsible for major power outages around the globe.

Stuxnet is a worm designed to spread through Windows systems and go after certain programmable controllers by seeking out the software related to these controllers. Stuxnet is believed to be specifically designed to destroy the Iranian nuclear program, but it can also be used to bring down power plants.

A group of hackers dubbed Sandworm and suspected to be based in Russia shut down the Ukrainian power grid in December 2015 using a malware called BlackEnergy. The malware opened a backdoor that allowed the attackers to control infected machines to a level where they were able to cross over into the operational network. Once there, they started to flip switches, disabling IT infrastructure and deleting files. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities, but nothing came of it.

If any countermeasures were taken in the Ukraine, they turned out to be insufficient or at least unable to withstand CrashOverRide. CrashOverRide, aka Industroyer, is an adaptable malware that can automate and orchestrate mass power outages. The power grid–sabotaging malware was likely the one they used in the December 2016 cyberattack against Ukrainian electric utility Ukrenergo. The CrashOverRide malware can control legacy electricity substations’ switches and circuit breakers, allowing an attacker to simply turn off power distribution, leading to cascading failures and causing more severe damage to equipment.

Dragonfly, aka Energetic Bear, is a malware campaign that uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. Part of this campaign was a malicious email disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.

Sandworm malware, discovered in 2014, uses a vulnerability to launch external files from a malicious Powerpoint file. In a Sandworm attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload. Sandworm has been used in targeted attacks against NATO, the European Union, and companies in the telecommunications and energy sectors.

Backup systems

It may seem obvious to point out that critical systems like hospitals should have independent emergency power backup systems. And most of them do. But are they tested regularly for functionality? Do they have enough supplies to last during a prolonged power outage? Is there an option to turn them on manually if they fail to kick in automatically? And is someone available on premise who knows how to do this?

Emergency power systems come in many shapes and sizes. Standby generators are probably the most well-known, and they rely on some kind of fuel to provide emergency power. Batteries, for example, use stored power and release this power when it’s needed. But batteries are generally only a solution for hours rather than days, and they tend to lose some power even when they are not in use. It is imperative to find a backup solution that is robust enough to meet your needs in a worst-case scenario.

control room of a nuclear power plant

Energy sources

Theoretically, there are other ways to frustrate the power grid. For example, by cutting off the resources we use to run the power plant, such as coal, water, wind, solar, nuclear, and natural gas. This is a good reason to use a wide variety of resources, and another excellent reason to use renewable energy. There is also good reason why OPEC has a lot of influence in the world of today.

To show that hacking into power supplies is not entirely theoretical, we want to mention that Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013. Unfortunately, many power plants are still accessible from the Internet in unnecessary ways that endanger their cybersecurity.


Criminals have tools at their disposal with the capability to cause serious damage to the power grid. Therefore, the power industry must take precautions and upgrade cybersecurity to keep their systems safe. And they should do more than just abide by the minimum-security standard. Power grid exploitation companies and their suppliers should have themselves tested on their ability to withstand cyberattacks on a regular basis.

This is especially true for nuclear power plants, where a loss of control can have more catastrophic consequences than just the loss of power output. Since 9/11, every company operating nuclear power plants has had an NRC-approved cybersecurity program in place, but cybersecurity was not such an issue when these plants were designed.

Besides cybersecurity, there are physical measures a government could enforce to improve the stability of a stressed power grid. As Joshua Pearce, a professor of electrical and computer engineering at Michigan Technological University, put it:

If we want to have a secure grid and go full throttle on renewable energy, what it means is we need to break up the grid into a bunch of microgrids that still act together as a full grid, so that we still have all the benefits that we have today with our giant centralized grid while still having the security.

In an attack, such a microgrid could be taken out without having an ill effect on all the other microgrids—which would make a successful attack less disastrous.

It would also stand to reason to take heed of the advice of Energy Secretary Rick Perry, who told lawmakers at an appropriations hearing that cyberattacks are literally happening hundreds of thousands of times a day. He warned that the Department of Energy needs an office of cybersecurity and emergency response in order to be prepared for threats like this in the future. And looking at what’s already taken place, plus what is vulnerable to attack: We have to agree.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.