The susceptibility of electrical grids around the world came into sharp focus on June 8 as the hacker group known as Electrum used a malware bundle dubbed CRASH OVERRIDE to disrupt power distribution in Kiev, Ukraine. The many similarities of electrical grids across the world, coupled with the malware’s modular framework, had leaders and electrical utilities wondering if they were prepared for Crash Override or a similar attack.

For the June Threat Model of the Month, we built a threat model of an electrical substation industrial control system (ICS) similar to the one infected by Electrum. Electrical substation ICSs, as is true for most ICSs, are built for robust functionality, not cybersecurity. In fact, according to the threat intelligence report provided by Dragos, the modular payload of Crash Override effectively used the substation control systems in the way they were intended to be used – simply by telling the system to open circuit breakers that were supposed to be closed, thereby de-energizing large sections of the downstream grid and leaving the citizens of Kiev in the dark.

Building an Electrical Substation ICS Threat Model

Click to watch a brief video and learn how efficiently ThreatModeler™ allows users to create an ICS threat model relevant to the electrical grid.

Be Prepared for Crash Override or other Threats with ThreatModeler™

Electrical substation ICSs are designed specifically to keep the generated power balanced across the transmission area based on the demand of each geographical area. For the most part they were designed when engineers worried more about severe weather and earthquakes than about cyber attackers. Thus, once a malware bundle infects a substation’s cyber system, it is relatively unchallenged and free to do the attacker’s bidding. The first step in being prepared for Crash Override is to understand the threat and how it may be relevant to your organization or system – which requires a threat-centric approach to threat modeling.

Understanding the attackers is also key to being prepared for a potential cyber attack. One of the key take-aways from the threat intelligence report provided by Dragos is that the attackers took advantage of known weaknesses with the ICS’ communication protocols to map the cyber environment and locate the appropriate targets. Modern cyber attackers often probe applications and systems to map out the architecture and the most efficient way to access critical libraries, configuration files, and data bases. Understanding your applications and systems from the attackers’ perspective is an important part of being prepared for Crash Override or other relevant threat. An architecture-based approach to building your threat models is the only way to understanding your applications and systems from the attacker’s perspective.

The threat-centric threat model based on the architecture of a typical electrical substation ICS identified 60 potential threats – including potential malware like Crash Override – and 10 security requirements. The summary threat report the electrical substation ICS threat model may be downloaded here.

Schedule a demo with a expert to learn more about how efficiently ThreatModeler™ allows users to build ICS threat models.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >