The 2015 and 2016 attacks on Ukraine’s power grid demonstrated thedevastating efficacy of leveraging stolen credentials in unsegmented OTenvironments. The Russian cyber actors (Sandworm) first established persistentaccess via spear-phishing, acquiring valid credentials to control energymanagement systems.

The 2015 incident was highly interactive, as actors manually used validcredentials and remote administration tools to gain operational control andde-energize seven substations, resulting in blackouts affecting over 225,000customers.

The 2016 attack demonstrated escalation: the threat actors built upon earliertactics, encoding ICS manipulations within software (preventing recovery) andcoupling it with a denial-of-service attack targeting digital protective relays. Bothincidents underscored that the failure was not due to perimeter breaches, butinstead to the lack of least-privilege enforcement within the network after validcredentials were used. The broad, implicit trust granted to authenticated usersallowed them to perform unauthorized, destructive actions.

These attacks succeeded because valid credentials granted broad operationalprivileges across the network. A foundational principle of Zero Trust is the enforcement of least privilege.

BlastWave would enforce that a user with a “Field Operator” identity is only authorized to execute commands on their specific, authenticated Human MachineInterface (HMI) terminals. BlastWave’s primary defense in this scenario is thatthere are no credentials to steal, so a hacker would be unable to gain access.

If that operator’s credentials were stolen (because they were using SSOintegrations rather than BlastWave’s passwordless authentication) and usedby an attacker, BlastShield would prevent the execution of manual remoteoperations (such as opening a breaker) from an unauthorized foreign deviceor geographic location.