Jason Atwell, Principal Advisor Global Intelligence, Mandiant

Shortly before Christmas in 2015 the power grid in Ukraine suffered a series of outages that impacted roughly a quarter of a million consumers and lasted several hours.[1] Later, in 2017 the same group used ransomware to shutdown servers all over Ukraine, including at the infamous Chernobyl Nuclear Power Plant.[2] The actor behind this attack was a Russian state-sponsored group known as “Sandworm.” Because of the role this group has played in defining the scope and threat from cyber actors to power grids, cyber professionals and intelligence analysts around the globe have been watching keenly for any evidence of the group’s current activity during the current crisis in Ukraine.

Sandworm might be the most infamous group currently known for ICS malware, or malware that is intended specifically to target industrial control systems (ICS) such as programmable logic controllers (PLCs) or unified architecture (UA) servers. This type of malware, while still relatively rare, is more common now than a decade ago, and is increasingly proven capable of achieving dangerous and widespread effects on targeted networks globally.

Ukraine has had the unfortunate distinction of being the place where one of the most noteworthy incidents involving such malware has occurred, but it is far from the only one, and will not be the last to deal with incidents involving it. As anyone who works in the overlapping fields of cyber and engineering knows, it isn’t necessarily the threats or failures you’ve identified that will hurt you, it might be the ones no one has thought of.

The Russian focus on Ukraine’s power grid in particular, and how it has evolved over time, offers valuable lessons for network defenders and industrial engineers as they prepare grids to be resilient against future attacks of this kind.

Exploration of energy sector significance

It is no mistake that most of the discovered ICS malware targets energy, or energy-related, functions and systems. When keeping in mind the intended effects, and the state-sponsored groups behind these capabilities, energy becomes a logical target for ICS malware. Energy plays a critical role in the dynamics of international geopolitics. When nation-states confront one another, the energy sector is often at the center of tensions.

This is because of the critical role energy plays in several key factors, such as internal stability through essential services, economic health due to the huge role oil and gas play in many economies, the effects of compliance that can be achieved when crucial suppliers deny or fail to deliver fuel, and finally it is a rapidly digitizing industry on the forefront of competition between the world’s great powers, making it a fertile ground for testing cyber capabilities in a way that sends a quick and direct message.

Besides Ukraine, Saudi Arabia has experienced cyber attacks directed against its energy sector, ones which were both destructive and highly creative in their methodology. Triton malware, which incidentally is also linked to Russia, was used to attempt to cause physical damage at a Saudi petrochemical company by disabling key safety systems, specifically the hardware and software platform used to coordinate across multiple devices.

This focus on eliminating the monitoring, coordination, and redundancy that is essential to modern safety systems could have made the impact of this attack devastating had it fully succeeded. Despite failing, it is understandable why such an attack could benefit a country like Russia, which was assessed to be behind Triton malware and subsequently sanctioned for its development.[3] Russia is in the top tier of nations that both profit from, and are largely dependent on, the energy market.

In past wars the bombing of oil and gas facilities were priority efforts, in future wars the same effects[4] might be achievable from afar using a network connection and a custom malware kit, helping decrease the risk to the attacker and increasing the speed and scale of destruction.

Discussion of malware functions and effects

One of the most significant recent developments in ICS malware was the proactive detection and mitigation of a campaign designed to use INCONTROLLER malware to target machine automation devices, specifically those able to interact with specific industrial equipment leveraged across multiple industries. The desired goal apparently being to interact with that equipment in such a way as to disable safety features, similar to Triton previously discussed above.[5]

Future Scenarios

Russia’s attempts to take out critical components of the electrical grid using cyber attacks may have been limited in scope and mostly unsuccessful, especially in terms of Ukraine’s ability to quickly recover, but they do show us where ICS malware and its capabilities are headed in the future. Like many other kinds of malware, ICS malware is increasingly focused on infiltrating the commonalities across systems and networks in order to have the greatest chance of exploitation and success.

That means a focus on widely adopted technology, the coding language used to communicate between them, and the software suites that enable multiple processes. In the future, because malicious actors are increasingly aware of what these critical nodes and common overlays are, attacks will be even more stealthy in how they infiltrate supply chains and achieve effects rapidly, both using our engineering processes against us and taking into account detection and response capabilities.


From an engineering perspective, there are some basic concepts that can help address the rising threat posed by ICS-specific malware. Additionally, the cyber security field is heavily engaged in hardening ICS networks and responding to incidents when they occur. Marrying these parallel efforts is an important part of having a strategic approach to this issue.

First, the earlier in a design process that cyber security can be addressed, the better. A resilient design should include not only redundancies, but ways to check if those redundancies are balancing one another effectively. This eliminates a vector for a bad actor to use safety processes against the system.

Second, operating procedures, either in design or in practice, should include the necessary time and resources to review data and indicators for signs of malicious activity. This includes updates, maintenance, and tests. Malicious activity may not be detectable, even on a secured network, if too much trust is placed in “operations as usual” as an indicator of a secure system.

Third and final, supply chain issues, in terms of new procurement, upgrades and enhancements, should be addressed as part of the design and build of resilient networks. Reviewing code or hardware for faults or signs of manipulation should be just as important as checking the loads or capacities of more traditional equipment and physical plants. The strongest pipeline or best insulated cable in the world won’t do much good if it’s connected to a compromised piece of network hardware purchased from an entity at odds with the geopolitical stance of the buyer’s host nation or corporate structure. Threat intelligence and past incident case studies can be immensely useful in determining how best to address these three areas for consideration.


Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware. This potential attack surface is complex and growing. The good news is we are more aware of threats than ever before, and the resources dedicated to addressing them are maturing and becoming more accessible. A future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, and probably sooner than later, but its actual outcome is largely up to us, not the attacker.

[1] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[2] https://www.independent.co.uk/tech/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

[3] https://home.treasury.gov/news/press-releases/sm1162

[4] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[5] https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

About the Author:

Jason Atwell is Principal Advisor of Global Intelligence at Mandiant. Atwell helps oversee the Strategic Intelligence & Government and Global Government Consulting practices. Atwell has over 18 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors.

This post appeared first on Power Engineering.