The Justice Department has accused nine Iranian nationals of hacking thousands of victims worldwide, including employees at a crucial U.S. energy regulator.
The Federal Energy Regulatory Commission may not be a household name, but its policies touch on some aspect of nearly every American’s life. The agency oversees hundreds of thousands of miles of interstate natural gas pipelines and the bulk electric power grid.
FERC "has details of some of this country’s most sensitive infrastructure," Geoffrey Berman, U.S. attorney for the Southern District of New York, said at a press conference Friday unveiling charges against the Iranian residents.
The men named in the indictment allegedly cracked into FERC accounts by "password spraying" — pairing emails with commonly used passwords until a combination succeeded. Justice Department officials claimed the hackers were working on behalf of the Islamic Revolutionary Guard Corps, a military and intelligence force that reports to Iran’s supreme leader, Ayatollah Ali Khamenei.
FERC spokesman Craig Cano acknowledged that "a small number of email accounts were inappropriately accessed" last fall, noting that the agency would continue to work with federal authorities on the case. "The commission has taken and will continue to develop corrective action to ensure that appropriate controls are operating effectively," he added.
What, if anything, might have been siphoned from FERC’s headquarters in Washington, D.C., to the Mabna Institute, an alleged front for the state-sponsored hackers in Tehran?
"My fear is that FERC has done these pretty detailed studies on vulnerabilities in the grid," said Earl Shockley, founder and president of the InPOWERd LLC consultancy and a former senior executive at the nonprofit North American Electric Reliability Corp., which oversees operations and security of the nation’s interstate power grid. "Who knows if [hackers] have any of that material?"
NERC and FERC work closely together to monitor security at bulk electricity generation and transmission sites, from major power plants to key substations.
While the most sensitive documents — such as those pertaining to specific security practices at large utilities — are kept onsite at the relevant facilities or offline on encrypted hard drives, Shockley pointed out that "a lot of confidential emails go back and forth between NERC and FERC" involving critical infrastructure protection.
For instance, FERC and NERC have recently worked together to find sensitive spots where natural-gas-fired power generators are reliant on a lone pipeline or gas storage facility, making them susceptible to attack.
Four years ago, a confidential FERC study found that disabling nine vital substations on a given day could result in a nationwide blackout, a controversial report that triggered widespread political reaction and concern (Energywire, March 14, 2014).
There is nothing to indicate hackers made off with that particular document. But there is some evidence to suggest that Iran’s intelligence haul wasn’t trivial.
Late last year, the Department of Energy’s inspector general reported discovering a cybersecurity "incident" affecting FERC’s unclassified computer systems (E&E News PM, Nov. 1, 2017).
"While we commend the commission for its response to the security incident, we are concerned that certain controls may not have been in place that could have potentially prevented the incident," Assistant Inspector General Sarah Nelson concluded at the time.
FERC’s Cano confirmed that the "incident" described last fall is connected to the Justice Department’s announcement Friday.
FERC denied E&E News’ Freedom of Information Act request for documents related to the case, citing an ongoing law enforcement investigation.
In a rejection letter dated Dec. 17, 2017, the agency also painted potential disclosure of the files in dire terms.
"FERC has information related to the nation’s energy infrastructure, as well as its cybersecurity grid (in addition to privacy information of individuals involved in Agency action)," the letter noted. "Public release of the requested documents would provide information that could help breach FERC’s network, and allow possible access to non-public, sensitive, and/or confidential information that could be used to plan an attack on energy infrastructure, endangering lives and safety of citizens."
Cases for context
Chris Blask, director of industrial control systems security at the global information technology firm Unisys Corp., put the FERC hack in the context of previous state-backed cyber intrusion campaigns, such as the suspected Russian activity disclosed earlier this month by the Department of Homeland Security and the FBI.
In that case, Russian hackers are said to have penetrated the networks of several U.S. power utilities, taking screenshots of sensitive control system equipment and laying the groundwork for physical disruption.
"We and other nations are not doing damage to each other’s infrastructure, because these are acts of war," Blask said. "We see nation states like Russia and Iran taking steps that would predate [war] — they’re not turning things off, but they’re demonstrating that they can."
Two years ago, the Justice Department accused Iranian citizen Hamid Firoozi of hacking into the control system of a small dam near Rye, N.Y., gaining the ability to remotely operate a sluice gate (Energywire, March 28, 2016).
The dam’s computer system was down for maintenance at the time Firoozi allegedly accessed it in September 2013, leaving operations unaffected.
But the case brought heightened scrutiny to the security of the control systems underlying everything from bulk power systems to manufacturing plants in the U.S. and around the world.
Last November, the Justice Department unsealed an indictment against Behzad Mesri, an Iranian hacker said to have targeted unspecified "nuclear software systems and Israeli infrastructure." A grand jury in New York indicted him on charges that he hacked and attempted to extort Home Box Office Inc. between May and July 2017.
While the bulk of the U.S. power grid is owned and operated by private utilities, the recent cyber intrusions at FERC show "the federal government is just as vulnerable as the energy industry," Shockley said.
"They’re as concerned about cybersecurity as a PJM [Interconnection] or a Southern Co. — because they have computers and internet conditions, and they have a lot of important information," he said.
Reporter Sam Mintz contributed.