Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved. In addition to significantly expanded scope in power disruption, CRASHOVERRIDE differentiates itself from the 2015 event by attempting to disable protective relay devices involved in the targeted operations through a denial of service (DoS) attack. The attack as implemented failed, but the most-likely intention behind this action and its implications for electric utility operations and protection have received little attention or analysis.

This paper reexamines this phase of the CRASHOVERRIDE event and likely attacker intentions, even if actual execution failed. It will highlight how CRASHOVERRIDE attempted a different type of attack than 2015 by disrupting electric power operations only as an initial step toward setting up a protection-focused attack on transmission operations, with disabling protective gear as a final attack phase to introduce possible physical destruction via cyber means.