More utilities share a foxhole on cyber front

By Peter Behr | 06/18/2019 07:07 AM EDT

Intensifying cybersecurity threats against the U.S. electricity industry from state-backed hackers are pushing grid operators to share more information with other companies and federal agencies about dangerous intrusions, according to experts.

Experts are calling on utilities to partner with the Pentagon and other infrastructure operators on cyberdefense against dangerous intrusions.

Experts are calling on utilities to partner with the Pentagon and other infrastructure operators on cyberdefense against dangerous intrusions. Pentagon Force Protection Agency

Intensifying cybersecurity threats against the U.S. electricity industry from state-backed hackers are pushing grid operators to share more information with other companies and federal agencies about dangerous intrusions, according to experts.

"I’ve seen a sea change in terms of willingness to share, a recognition of the significance of information-sharing, and that’s in large part predicated on the threat environment, which is as complex as we’ve seen," said Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, speaking before an Edison Electric Institute forum.

A new cyber campaign to penetrate U.S. utilities, tied to a potent hacking group with suspected connections to Russian intelligence, was identified on Friday by E&E News, based on a nonpublic alert to the industry (Energywire, June 14).

Advertisement

On Sunday, The New York Times published a report, citing unnamed sources, that U.S. cyber forces have stepped up intrusions into Russia’s electric power grid to plant malware that could strike back if Russia attacked U.S. networks. The U.S. effort is a demonstration of the U.S. Cyber Command’s "defend forward" mission announced last year.

President Trump denied the account and said the Times‘ decision to publish a story was "a virtual act of Treason."

On another front, some security experts predict Iran could launch new cyberweapons against U.S. targets to gain influence in its conflict with the Trump administration.

"Given Iran’s prior history of conducting both non-destructive and destructive cyberattacks against the United States and our private-sector companies, it seems reasonable to expect more of the same because Iran sees the opportunity as a leverage point," said Jamil Jaffer, vice president for strategy at IronNet Cybersecurity and head of the National Security Institute at George Mason University.

"Iran may be interested in seeing how far they can push us because we haven’t been clear how far we’ll let them go," he said. "As a result, I think cyberattacks of varying degrees of impact are very much on the table."

Energy Secretary Rick Perry told the EEI conference last week in Philadelphia that destructive malware is likely already in place in some parts of the U.S. grid, hidden and dormant until called upon. Perry said his greatest fear is the day when hackers strike the grid after an extreme storm has already caused chaos across a region.

"That scenario, and the chaos that could come from that into a city like New York, is a terrifying thought to me," Perry said.

The power industry finds itself on "the front lines of a geopolitical struggle," said Dennis Gilbert, vice president and chief information security officer for Duke Energy Corp. Adversaries are trying to penetrate power companies to implant cyberweapons that could help them pressure the United States in a political confrontation that threatened military conflict, he said.

"Some of the nation-states would definitely like to have the ability to turn off and on the power, or at least make us believe they can," Gilbert said.

Auburn’s Cilluffo said that urgency has opened the doors to more collaboration within the industry.

"All the old battles about needing to share aren’t being discussed anymore," he said in an interview. "The dilemmas now are over what kinds of information can be shared, what can be acted upon, and not throwing everything at a problem, but winnowing it down to operationally valuable information.

"I don’t mean to be too Pollyannaish about this, but you’re starting to see information-sharing between and among industry partners that years ago you would not have seen," he said.

What is not clear, at this point, is the willingness of utilities to provide the government with evidence of cyber intrusions that could arm the U.S. Cyber Command with clues to then go track down the hackers and block future attacks. That’s the expanded mission of Cyber Command, announced last fall after the White House and Congress gave the command more discretion to choose its targets and counterweapons.

"We really need to gravitate toward collective defense, where industry, government and private citizens are all in this together," Brian Harrell, assistant secretary for infrastructure protection at the Department of Homeland Security, said at the EEI conference.

"What we know for certain is that no one company — whether a utility, financial institution, or health care provider — has resources to defend themselves against a nation-state attack," Jaffer said. "And at the same time, the government doesn’t have insight into the attacks taking place against the private sector. As a result, both need one another."

"Utilities could capture malware in real time being embedded in their systems and send that to the intelligence community for real-time analysis," said Paul Stockton, former assistant secretary of Defense for homeland defense and managing partner with the Sonecon LLC consulting firm.

Then the intelligence community could not only help defend utilities but also take the utilities’ threat data to identify an attack group before malware is launched, he said.

Cilluffo and Stockton collaborated on a report by the Auburn security center that highlighted another cyber vulnerability shared by the Pentagon and private-sector firms — the risk that in an international crisis, adversaries could use cyberattacks to shut down energy, communications or transportation companies that the U.S. military depends on to move troops and equipment to the front.

Some U.S. companies have held back on joining forces with the Defense Department for various reasons, but the report concludes that most "want to lean in" and look for ways that the military and private sector can help each other, they said.

"Though major progress is being made, and [the Defense Department] and its civilian agency and industry partners are working more closely together, the threat continues to accelerate," the report said.

In March, Cyber Command was seeking utilities willing to volunteer to explore threat-sharing partnerships. Thomas O’Brien, senior vice president and chief information officer for regional grid operator PJM Interconnection, told E&E News that PJM had discussed working with Cyber Command. "We certainly are interested in doing so," he said (Energywire, March 14).

But Connie Lau, president and CEO of Hawaiian Electric Industries Inc., a panel moderator at the EEI conference last week, said her utility is exploring ways it might collaborate with the Pentagon, but she added that it is "very much in the nascent stage."

"We’re a pretty long way from doing that," she said.