Some of the world’s most dangerous hackers have zeroed in on the U.S. power sector in recent months, according to a nonpublic alert issued by the North American Electric Reliability Corp. this spring and new research.
The grid regulator sounded the alarm on March 1 with the industrial cybersecurity firm Dragos Inc. over a notorious hacking group known as "Xenotime" in the report. Xenotime has been spotted hitting U.S. electric utilities with "reconnaissance and potential initial access operations" since late last year, the alert said.
The hacking group, infamous for infecting the safety systems of a Saudi petrochemical plant with highly specialized, life-threatening malware two years ago, isn’t known to have broken through to the sensitive controls of U.S. power plants or substations.
The fact that the attackers behind the "Triton" malware can switch gears from hacking oil companies to electric utilities is significant, experts say, given the group’s sophistication and its suspected ties to Russian intelligence agencies (Energywire, March 7).
"Xenotime remains the most dangerous cyberthreat in the world, with the capability and intent to kill people," said Sergio Caltagirone, vice president of threat intelligence at Dragos. "We’ve been very proactive at working with hundreds of electric utilities, preparing them with intelligence and defensive recommendations to best defend the U.S. electric grid against an attack from an adversary of this caliber."
Dragos reported last year that Xenotime had expanded the scope of its malicious operations to include U.S. targets, although the firm did not specify which sectors came into the hackers’ crosshairs.
Today, the company issued a blog post detailing Xenotime’s activity dating back to 2017. After hackers "successfully compromised several oil and gas environments," Xenotime has demonstrated "consistent, direct interest in electric utility operations" spanning North America to the Asia-Pacific region, Dragos said, citing work with unidentified clients. Dragos added that Xenotime remains interested in oil and gas targets, calling the group’s foray into a new industry "emblematic of an increasingly hostile industrial threat landscape."
While there’s not evidence "at this time" that Xenotime is capable of executing a prolonged attack on utility operations, the hackers’ latest efforts are "cause for definite concern," the Dragos post said.
FireEye Inc., which responded to the 2017 Triton infection at the Petro Rabigh petrochemical plant in Saudi Arabia, warned earlier this year that the same hackers had claimed at least one new "critical infrastructure" victim (Energywire, April 10). FireEye’s report did not clarify whether the latest target saw its safety systems taken offline with Triton malware, which was tailor-made to override the Tricon line of Schneider Electric SE emergency shutdown equipment.
By disabling Tricon systems, the Xenotime hackers cut away a vital safety net from the Petro Rabigh complex, exposing workers there to potential explosions or chemical poisoning if the plant drifted outside normal operating conditions.
U.S. electric utilities have many of the same Schneider Electric safety devices installed at generating plants and some large electric substations, although the Tricon line is more commonly found in the oil, gas and chemicals industries.
The power sector isn’t taking chances, and NERC is pushing to divert more resources into the fight against hackers.
The nonprofit grid overseer is seeking millions of dollars in new funding for its Electricity Information Sharing and Analysis Center (E-ISAC), a hub for getting the word out about the latest threats and weaknesses in the grid.
NERC’s draft 2020 budget would set aside nearly $31 million for the E-ISAC — a 13% increase from this year — even as it trims spending outside the center.
The boost is part of a long-term strategy to upgrade the E-ISAC into a "world-class intelligence" nerve center for the power sector, according to NERC budget documents.
‘They might not be hiding anything’
The NERC report on Xenotime occurred in the same week that Larry Bugh, chief security officer at ReliabilityFirst Corp., shared an eye-catching statistic at a grid reliability meeting in Pittsburgh: U.S. utilities haven’t suffered a single cyber incident since at least 2015.
The day before Bugh’s March 6 presentation, an unnamed electric utility in the western U.S. reported a cyber event that disrupted grid operations spanning Utah, Wyoming and California. The case — separate from the Xenotime alert — didn’t cause blackouts, and sources later said it was likely an automated denial-of-service attack with a simple fix.
Bugh, as chairman of the Security Metrics Working Group at NERC, is looking to answer basic questions about the U.S. grid’s vulnerability to such threats, be they basic DOS attacks or more sophisticated attempted intrusions like those from Xenotime.
At another meeting of NERC’s Critical Infrastructure Protection Committee in Orlando, Fla., last week, participants pointed out that the power sector still lacks a comprehensive picture of its cyberdefenses.
Officials are still hoping to settle fundamental questions vexing Bugh’s team: How often do physical and cybersecurity incidents strike? How many actually interrupt electricity service? Are gaps in utilities’ digital defenses growing wider?
"My guess is that NERC and E-ISAC don’t have the answers in hand," said Rebecca Slayton, an associate professor at Cornell University who has studied NERC’s security strategies in the past. "The other question is, do the utilities even know? They might not be hiding anything and just don’t know what’s going on in their networks."
NERC, as the federally designated Electric Reliability Organization, sets and enforces physical and cybersecurity rules for large utilities to follow. It has already handed down record-breaking penalties this year for security violations at several major power companies as new critical infrastructure protection standards take effect (Energywire, June 3).
Officials at the E-ISAC, meanwhile, are betting that additional outreach and round-the-clock staffing can entice utilities into sharing more data on cyberthreats barraging their systems. The E-ISAC pledges to keep information fed through its private portal well away from auditors at NERC’s regional divisions or the Federal Energy Regulatory Commission, which has final say on any fines.
The dual approach has had NERC firing on all grid security cylinders in recent months — ramping up cybersecurity penalties while staffing up the E-ISAC.
NERC is also pursuing ways to extend its view beyond the bulk power grid through the "Neighborhood Keeper" project with Dragos.
That research and development effort, partly funded through the Department of Energy, would offer small power companies the chance to install Dragos’ cyberdefense products in exchange for an anonymized stream of data from their systems. Smaller distribution utilities fall outside NERC’s purview and don’t typically need to share any details on hacking incidents (Energywire, Oct. 2, 2018).
"We are excited about the Neighborhood Keeper prospects, but it’s too early to have a good sense of the actual insights," NERC spokeswoman Kimberly Mielcarek said in an emailed statement.
Near hits and misses
NERC is also widening the scope of cybersecurity data it collects from utilities that fall subject to its authority.
After many years of radio silence from big utilities, FERC recently ordered NERC to make changes, concluding that "the current reporting threshold may understate the true scope of cyber-related threats facing the Bulk-Power System" (Energywire, July 20, 2018).
Even as grid specialists in the halls of FERC and NERC’s headquarters in Atlanta seek cybersecurity information, intelligence officials claim to have a handle on the extent of the danger.
Dan Coats, the U.S. director of national intelligence, said earlier this year that "Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours."
He cited a pair of cyberattacks on Ukraine’s power grid, in 2015 and again in 2016, that each left hundreds of thousands of Ukrainians in the dark for several hours midwinter.
No similarly destructive grid cyberattacks have been seen before or since.
But last month, Chris Inglis, former deputy director of the National Security Agency, said Russian hackers are "managing 200,000 implants in U.S. critical infrastructure" — a claim that turned heads at last week’s grid reliability meeting in Orlando (Energywire, May 22).
"If this is real, why hasn’t there been a directive to do something about it?" noted Bryan Owen, cybersecurity manager at technology vendor OSIsoft, who attended the Critical Infrastructure Protection Committee meeting.
Owen said that utilities’ efforts to gather data on the cyberthreat "still feel modest" when compared with available metrics for safety incidents. He suggested expanding the scope of metrics to account for cyber "near misses" — not unlike the March 5 incident that didn’t actually lead to a blackout.
"Ideally, we would be proactive enough that we don’t have to have a lot of outages to improve," he said.