I remember exactly where I was when I first heard about the Ukraine power grid attack. It was late December 2015, and I was serving as the Protection, Control, and Condition Monitoring Manager at National Grid. My phone started buzzing with messages from colleagues across the industry: Did you see this? They actually did it.
225,000 people lost power in western Ukraine on 23 December 2015. Not because of a storm, not because of equipment failure, but because adversaries remotely accessed SCADA dispatch systems and manually opened circuit breakers at 30 substations. For those of us who spent our careers ensuring grid reliability, this wasn’t just a cybersecurity incident. It was proof that everything we’d built to keep the lights on could be weaponised.
A decade later, I’m often asked why we’re still talking about Ukraine. The answer is simple: because the fundamental questions it raised haven’t been fully answered.
The 2015 attack wasn’t particularly sophisticated malware. It was patient adversaries who spent six months learning how operators worked, studying network architecture, and waiting for the right moment. They didn’t need zero-days or advanced persistent threats. They needed time, access, and understanding of how power systems operate.
The 2016 follow-up attack using CRASHOVERRIDE showed us something even more concerning: adversaries were developing purpose-built tools that speak native ICS protocols. This wasn’t IT malware adapted for OT. This was malware designed by people who understood substations, circuit breakers, and protection relays.
As someone who spent years working with protection systems, I can tell you that CRASHOVERRIDE’s ability to manipulate IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA protocols represented a level of operational understanding that changed the threat calculus for every utility operator.
When you’re responsible for protection and control systems, you think about failure modes constantly. What happens if a relay fails? What happens if communications are lost? What happens if an operator makes a mistake? You build plans and do tabletop exercises to get teams aligned on how to respond in those scenarios.
Ukraine forced us to add a new scenario: What happens when those things happen simultaneously because an adversary orchestrated them?
The attackers didn’t just open breakers. They deployed KillDisk malware to prevent system restoration. They corrupted firmware on Serial-to-Ethernet converters. They scheduled UPS disconnects to interfere with recovery. They called the utility’s call centre to jam the lines so customers couldn’t report outages.
This was an attack designed by someone who understood not just how to cause an outage, but how to make restoration as difficult as possible. That level of operational sophistication should concern every critical infrastructure operator.
The good news is that our industry has matured significantly since 2015. We have better visibility into OT networks. Threat intelligence sharing has improved dramatically. Technologies that were emerging then, like network monitoring specifically designed for industrial protocols, are now deployed across many industrial facilities.
In the United States, the recent approval of NERC CIP-015 requiring Internal Network Security Monitoring represents exactly the kind of evolution we need. Moving from perimeter-only defence to internal visibility acknowledges what Ukraine taught us: adversaries will get in, so we need to see them when they move laterally toward control systems.
But here’s what hasn’t changed: the fundamental architecture of power systems. We still have SCADA systems. We still have substations with remote access capabilities. We still need operators to be able to control the grid from dispatch centres. And we still face determined adversaries with nation-state resources who view critical infrastructure as a strategic target.
One detail from the Ukraine investigation has always stayed with me: the attackers controlled the operators’ mice in real-time, watching them try to regain control as circuit breakers opened across the region.
This isn’t abstract. This is an operator watching helplessly as their cursor moves across the screen without their input, opening breakers they’re desperately trying to close. For anyone who’s sat in a control room, this scenario is visceral.
It reminds us that OT cybersecurity isn’t just about technology. It’s about protecting the people who operate critical infrastructure and the communities who depend on it.
I’ve had the privilege of seeing this challenge from multiple angles: as a protection engineer responsible for system reliability, as Global Head of Cyber Operational Technology developing security programmes and now working with utilities worldwide as they mature their OT security capabilities.
What I’ve learned is that the operators and engineers who keep the lights on every day are the same people who will ultimately secure these systems. They understand what’s critical, what’s connected, and what failure looks like. Our job is to give them the visibility, tools, and support to extend that operational excellence into the cybersecurity domain.
The threat actors behind the Ukraine attacks - groups we now track as KAMACITE and ELECTRUM - remain active. We are looking back at an attack 10 years ago, but do not forget - they attacked Ukrainian infrastructure again in 2022 using Industroyer2, and they’ve expanded their targeting beyond Ukraine to other regions and sectors. The techniques they pioneered are now part of the broader threat landscape that every utility must defend against.
But the community that’s formed in response - utilities, vendors, researchers, regulators, and operators working side-by-side - represents our best defence. We share intelligence, we learn from incidents, and we continuously improve. In many ways, our collective response is a reminder of what we can achieve with persistence, focus, and a willingness to work together.
As we mark ten years since that December night in Ukraine, the imperative is clear: we need to ensure that the global community of critical infrastructure defenders has the visibility, resources, and collaboration needed to detect and prevent attacks before they impact the communities we serve.
This isn’t about perfect security. That doesn’t exist. It’s about making sure that when adversaries probe our defences, we see them. When they move laterally through networks, we detect them. And when they attempt to manipulate control systems, we stop them.
The infrastructure we protect enables everything else: hospitals, water systems, communications, commerce, and daily life. That responsibility drove me as a protection engineer, and it drives me now. Ukraine showed us what’s possible when adversaries commit resources to attacking critical infrastructure. Our response must be equally committed to defending it.
On January 13, 2026, Robert M. Lee and Tim Conway, two of the lead investigators from the original Ukraine incidents, will host a retrospective webinar examining these attacks and their ongoing relevance. We all benefit when we share knowledge about defending critical infrastructure.
