The rules of engagement in cyber conflict may be "eroding," a cybersecurity executive warned yesterday, but there are a few lines hackers won’t cross in the United States.
"You don’t take down a utility; you don’t change the results of elections," Kevin Mandia, CEO of FireEye Inc., told a group of reporters at a cybersecurity conference yesterday in Washington, D.C.
He said hacking groups backed by foreign governments would have to "think long and hard" to change vote tallies or activate malware inside a utility that could harm its control systems, given the risk of retaliation.
"Those are rules that — in my experience — I have not seen any nation break yet."
Russian hackers are suspected to have briefly disabled parts of Ukraine’s power grid in December 2015 and again in 2016, according to Ukrainian security authorities and multiple cybersecurity companies, including FireEye.
But those attacks, while alarming, were hardly disastrous — cutting off power to little more than a quarter-million people for a few hours each time.
"We’ve been incredibly lucky that we haven’t seen a catastrophic attack against critical infrastructure," said Charles Carmakal, vice president of Mandiant, a subsidiary of FireEye focused on cyber incident response. "Threat actors who are actually capable of disrupting our critical infrastructure aren’t motivated to do it, and those that are motivated to do it aren’t yet capable of doing it."
Despite countries’ reluctance to launch cyberattacks that carry physical consequences, Carmakal said some groups toe the line.
"We have seen Russian operators probe nuclear power plants, oil and gas pipelines in the U.S.," he said. "There have been situations where Russian government operators have gotten access to critical infrastructure. … What I have not yet seen is a deliberate attempt by a foreign government to disrupt operations in the U.S., from a critical national infrastructure perspective."
FireEye has investigated several recent cyber intrusions that have targeted the industrial control systems that keep the lights on, or oil and gas flowing.
A recent hacking threat that FireEye dubbed "Triton" disabled core components of an industrial safety system at a petrochemical facility in the Middle East. The hackers were booted out, but not before causing the plant to shut down multiple times while they tampered with lifeline safety instrumented systems, according to FireEye.
Dragos Inc., another cybersecurity company focused on threats to industrial control systems, recently warned that the hackers behind Triton had expanded their operations and were targeting other sites globally. FireEye experts confirmed yesterday that the threat had spread to the U.S., while noting that actually disrupting industrial systems, from refineries to power utilities, remains a tall order.
Carmakal credited the "acute awareness of the potential for an attack against critical infrastructure in the U.S.," adding that vital companies "tend to have better defensive capabilities than organizations in other parts of the world."
Or, as Mandia put it, "The first person who tries to take down a utility will fail, and you’ll likely notice it."
