Last year saw ransomware run rampant over state and local governments, a relentless string of data breaches at major corporations, and a first-of-its-kind cyber disruption to the U.S. power grid.
Less than a month into 2020, experts are warning that another long year of hacking risks lies ahead for U.S. energy companies and federal agencies. It’s also an election year, a fact keeping homeland security officials on high alert.
Iran, China and Russia top the list of nation-states poised to test U.S. cyberdefenses in 2020, according to acting Homeland Security Secretary Chad Wolf.
"Each of these countries has a different motivation and end goal, but all attempt to undermine our interests and international standing," including through "cyber-enabled attacks," Wolf said at a Homeland Security Experts Group event Friday.
Here’s a look at four cybersecurity issues to watch in 2020:
Grid hacking threats
After the U.S. killed top Iranian Gen. Qassem Soleimani early this month, tensions between the two countries quickly escalated and fears spread of a cyberattack on U.S. electric utilities or oil and gas companies (Energywire, Jan. 6). The worry was not unfounded, as Iran-linked hackers are showing an increasing interest in electric utilities, according to a report out last week from cybersecurity firm Dragos Inc. Iran is also believed to have deployed computer-wiping malware against Saudi state-owned oil giant Saudi Arabian Oil Co. in 2012.
Several U.S. lawmakers have called for more information on Iran’s cyber capabilities following the drone strike on Soleimani. Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, urged the Trump administration to share its strategy for dealing with potential retaliation, saying that he is concerned over Iran’s capabilities "against state and local governments and critical infrastructure to exact revenge for the death of Soleimani."
Reps. Frank Pallone (D-N.J.), chairman of the Energy and Commerce Committee, and Mike Doyle (D-Pa.), chairman of the Communications and Technology Subcommittee, called on the Department of Homeland Security and the Federal Communications Commission to brief Congress on the danger Iran presents to telecommunications networks.
Iran is not the only country to have shown interest in hacking energy companies. Russia looms large in many cybersecurity threat assessments after being tied to sophisticated malware that shut down a petrochemical plant in Saudi Arabia in 2017. The Triton malware targeted Schneider Electric SE safety systems, and the hackers behind that potentially deadly tool were seen targeting U.S. facilities in 2018. When it comes to hacking industrial control systems, Russia is still the more experienced, older sibling, according to many experts.
Hacking critical infrastructure doesn’t always bring destructive or disruptive dangers. Cyberespionage is a large problem inside the energy sector, and China is one of the leading culprits, having been accused of leading hacks into managed service providers that oversee huge amounts of proprietary data from a variety of industries in the "cloud" (E&E News PM, Dec. 20, 2018).
That’s not to say China can’t wreak even more havoc. In last year’s Worldwide Threat Assessment by then-Director of National Intelligence Dan Coats, China was called out as having the ability to cause a "disruption of a natural gas pipeline for days to weeks."
Many analysts see that sort of crippling attack as highly unlikely to occur in practice. Less impactful, but more probable, is the threat posed by ransomware — malware that holds victims’ computer files hostage by encrypting them and demanding payment for the key. Analysts have warned that ransomware can have unintended consequences by infecting operational technology (OT) in industrial control systems like those that run the power grid. The line between information technology and OT is beginning to blur in dangerous ways, and an infected IT system can quickly lead to an infected control pump or circuit breaker.
OT networks are "a really rich environment for ransomware to spread into, and usually unintentionally," said Greg Young, vice president of cybersecurity at cyberdefense firm Trend Micro.
Many OT systems are susceptible to ransomware because they are old and unpatched, Young said. That makes them perfect fodder for ransomware attacks that use common and previously documented vulnerabilities.
2020 election fears
This year marks the first U.S. presidential election since Russia-linked hacking groups interfered in the 2016 race. The big question is: To what degree will suspected Russian operatives try to do so again?
Last week, a report by Area 1 Security Inc. alleged that Russian hackers breached the Ukrainian gas company Burisma Holdings Ltd., a company tied to the impeachment of President Trump (Energywire, Jan. 15). The cybersecurity firm’s report did not detail exactly what information was gained, if any, but history may repeat itself if hackers dig up dirt on one of the leading Democratic presidential contenders, Joe Biden, to sway U.S. voters.
In 2016, the Russian government hacked Democratic National Committee and Democratic Congressional Campaign Committee networks, stealing files during the runup to the election before leaking them to WikiLeaks and DCLeaks, according to multiple U.S. intelligence agencies. WikiLeaks posted troves of politically damaging emails days before the 2016 Democratic National Convention.
The efforts by alleged Russian agents during the last general election, and continued online disinformation campaigns since then, have shifted focus to the social media companies where vast numbers of Americans get their news.
"Finally, this year we’re going to see disinformation become more on the agenda for some of the social media platforms," Young said, rather than see them "duck" the issue by invoking freedom of speech.
Russia isn’t the only player in the election interference game, the U.S. intelligence community has warned. "Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions" in the upcoming November elections, according to a recent joint statement from seven agencies.
Last October, Microsoft Corp. revealed that Iranian-linked hackers have targeted the email accounts of a presidential campaign. Reuters later reported that it was Trump’s reelection campaign, a case that served as a warning for other presidential candidates of the threats posed by nation-state hackers.
Days before the Iowa primary, Pete Buttigieg lost the only staffer who was working on cybersecurity full time, The Wall Street Journal reported. Mick Baccio quit due to differences over handling of Buttigieg’s "information security program."
Some candidates, like Sens. Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.), have been largely quiet on how they are handling cybersecurity in their campaign, but others have opened up about steps they are taking.
The most recent candidate to join the Democratic field — billionaire and former New York Mayor Michael Bloomberg — recently announced that his campaign is hiring a team dedicated to cybersecurity.
Spreading the word on attacks
The first reported cyberattack that disrupted the U.S. grid occurred in 2019. Will 2020 see another?
Last March, a cyberattack on Cisco Systems Inc. equipment installed at renewable energy giant sPower briefly blinded communications between grid control centers and several wind and solar generation sites in Utah, Wyoming and California. The attack didn’t seem to be intentional and the signals were lost for less than five minutes, but the blips served as a reminder of utilities’ increased exposure to attacks as they embrace digitization (Energywire, Sept. 6, 2019).
The North American Electric Reliability Corp. is wagering that information sharing will be at the heart of ensuring similar cyber events don’t happen again. This year, NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) increased its budget to just over $31 million and plans to add at least nine new employees.
The investment is part of its long-term strategic plan to make E-ISAC "a world-class intelligence collecting and analytical capability for the electricity industry."
E-ISAC spreads the word on the latest cyberthreats and vulnerabilities to registered utilities and other subscribers to its private portal, raising the question: Will members of the public even know if another grid cyberattack happens?
The March incident — a distributed-denial-of-service attack that overwhelms its target with traffic — was only mentioned publicly in a single line on an obscure Department of Energy "electric disturbance" form. Officials at DOE, NERC, DHS, the Federal Energy Regulatory Commission and the Western Electricity Coordinating Council all declined to share more details at the time.
2020 could pose other challenges for cybersecurity transparency as federal regulators puzzle over whether to reveal the names of utilities found to have broken mandatory cybersecurity requirements.
NERC and FERC, the two organizations responsible for setting and enforcing rules for grid cyberdefense, submitted a joint proposal last year that advocated for revealing the names of companies that have violated cybersecurity regulations, along with the general nature of the violation and the penalty amount. The change was aimed at balancing "confidentiality, transparency, security and efficiency concerns" and wouldn’t reveal technical details that could benefit malicious actors.
This proposal was lauded by consumer advocates, but others worried that even revealing the names of rule-breaking companies could put grid reliability at risk. In a comment on the proposal, DOE said that disclosing any identities would be shining a beacon to malicious actors while also discouraging self-reporting by those companies.
"Despite the consequences for transparency, withholding violator identities is the only reasonable way to avoid this undesirable result," DOE wrote in its comments, signed by Assistant Secretaries Bruce Walker and Karen Evans.
Protecting the supply chain
If the last few years saw supply chain security grow in the public consciousness, experts say 2020 will be when action finally occurs. Well, maybe.
FERC’s enforcement of new supply chain regulations for the bulk power grid are set to begin this July. The new standard requires utilities to create a "security risk management plan." Large power companies must also keep track of remote network access by vendors and verify that software installed in the power grid is not modified or counterfeit.
The impact of the new standards remains to be seen. Patrick Miller, managing partner at Archer Energy Solutions LLC and a former NERC auditor, said that although the regulation does have good sections — such as software verification — it was created too quickly and resulted in a vague and bare-bones supply chain standard.
"Fast regulation is usually not good regulation, and this one is no different," Miller said.
Supply chain security is one of the five cybersecurity priorities that FERC staff laid out in a presentation in November.
FERC has also created a cybersecurity division under the Office of Electric Reliability, and supply chain security is going to be a "top priority," FERC Chairman Neil Chatterjee wrote in a letter this month addressing concerns around U.S. power-sector use of equipment from China-based telecommunications giant Huawei Technologies Co.
"My colleagues and I at the Commission will continue to work with the North American Electric Reliability Corporation and our federal partners including the Department of Energy and the Department of Homeland Security to assess the threat posed by Huawei and take additional action as appropriate," Chatterjee wrote.
The White House and Congress view Huawei as a security threat and have effectively blocked many U.S. companies and manufacturers from using the company’s products in any infrastructure for fifth-generation (5G) wireless technology. The fear is that using Huawei equipment would allow China to spy on Americans or hijack vital equipment during a conflict. Chris Krebs, who leads the Cybersecurity and Infrastructure Security Agency at DHS, told Politico last year that his top priority through 2021 is "China, supply chain and 5G."
Huawei has countered that there is no firm evidence of its equipment being linked to any Chinese spying and has slammed U.S. restrictions as a baseless attempt to judge companies’ security based on the geography of their headquarters.
The debate over supply chain security is only likely to intensify in 2020, as NERC shares results of a power-sector survey of Huawei’s prevalence in the U.S. power grid.