A cyberwar campaign by Russia-linked hackers to break into U.S. energy, manufacturing and aviation firms, while causing no reported damage, highlights U.S. officials’ fears of disruption ahead of the November midterm elections.
Department of Homeland Security officials say the hacking campaign targeted hundreds of companies across various critical infrastructure sectors, including electric power utilities and nuclear plants, over the past two years.
"As a whole, the U.S. targets were focused in the energy sector, and we saw it across power generation, transmission and distribution," Jonathan Homer, chief of the industrial control systems group at DHS’s Hunt and Incident Response Team, said at a July 23 web briefing.
Of hundreds of organizations hit by the Russia-linked hackers, he said "quite a few" were actually compromised, and in at least one case the attackers were able to get access to the controls behind a small power generator.
"They got to the point that they could turn the switches, but they didn’t," he said (Energywire, July 24).
Cybersecurity experts have tied the grid-focused hacking campaign to the same Russian intelligence group — nicknamed "Fancy Bear" — accused of meddling in the 2016 U.S. presidential election by hacking Democratic Party computers.
The spies’ apparent interest in the power grid has driven efforts by the Trump administration to review not just election systems’ cyberdefenses, but the defenses of the grid networks needed to keep the lights on at voting booths and process electronic ballots.
"Cyber operations could seek to undermine the integrity or availability of election-related data," warned members of a Justice Department Cyber-Digital Task Force in a report issued earlier this month. "For example, adversaries could employ cyber-enabled or other means to target election-associated infrastructure, such as voter registration databases and voting machines, or to target the power grid or other critical infrastructure in order to impair an election."
What once seemed a far-fetched threat to election systems has taken on new urgency as suspected Russian hackers show sustained interest in interfering with U.S. computer systems.
Last week, Sen. Claire McCaskill (D-Mo.), considered an electorally vulnerable incumbent in the upcoming midterm elections, confirmed that one of her staffers was targeted by a "phishing" email linked to Russia’s Main Intelligence Directorate. The attempted intrusion was first reported by The Daily Beast.
"Russia continues to engage in cyber warfare against our democracy," McCaskill said in a statement Thursday. "I will continue to speak out and press to hold them accountable. While this attack was not successful, it is outrageous that they think they can get away with this."
Russian officials, including the country’s president, Vladimir Putin, have repeatedly denied U.S. intelligence agencies’ findings that they’ve directed cyberattacks on U.S. targets, from state election systems to the power grid.
President Trump has at times backed Putin’s assertions that Russia did not meddle in the 2016 federal elections, only to roll back his comments and side with the U.S. community later. Trump warned recently on Twitter that he expects Russia to attempt to have an impact during this election cycle — to tip the scales toward Democrats.
"I’m very concerned that Russia will be fighting very hard to have an impact on the upcoming Election," he said. "Based on the fact that no President has been tougher on Russia than me, they will be pushing very hard for the Democrats. They definitely don’t want Trump!"
Security questions get an airing today
Whether Russian hackers attempt to infiltrate election systems or associated grid networks, even a single successful cyberattack on one of the 16 federally designated "critical infrastructure" sectors would trigger a tsunami of debate about the status of U.S. cyberdefenses.
A successful cyberattack on a local electric utility or gas pipeline that caused even a limited blackout would spur demands for new policies and more answers to the cybersecurity questions that have largely gone unanswered in unclassified forums.
Many of those questions will come to the fore during a DHS conference in New York City today, set to include senior homeland security officials, Energy Secretary Rick Perry, and several natural gas and utility CEOs. The event will feature a nonpublic panel discussion on "protecting national critical functions," among other topics.
"The Department of Energy, Department of Homeland Security and national labs have been working this challenge with utilities for nearly two decades," Andrew Bochman, senior cyber and energy strategist for the Energy Department’s Idaho National Laboratory, told E&E News. "So we would characterize this event [the Russian campaign] more as a gradual step in the evolution of the threat versus a distinct or disturbing inflection point."
But, Bochman added, there is no reason for complacency or comfort about the threat.
"It is well-known that a persistent, well-funded adversary will get in, and there are several of these," he said. "The attackers are certainly improving, but the good news is that the defenders are, too."
Bochman said DOE’s new Cybersecurity, Energy Security, Emergency Response (CESER) office is part of the federal effort to improve the speed and quality of government and industry collaboration on fast-moving threats. "While we cannot protect everything, by teaming more closely we can better protect the most important electric sector elements, as well as the grid as a whole," he said.
The Federal Energy Regulatory Commission has also moved to shore up security standards for the utility industry’s supply chain of software and hardware components, through requirements set by the North American Electric Reliability Corp., which oversees the nation’s bulk power system.
But FERC and NERC rules only apply to large power utilities, leaving out smaller companies known to have come under scrutiny from Russian hackers.
"We responded to organizations that were just a couple dozen of employees; we responded to a very, very large organization that covers a significant portion of the United States," Homer said during yesterday’s briefing. "The size of the organization was not a determinate factor in whether they were targeted or not, in whether the threat actor wanted to get into those networks."
In one of the few confirmed instances of a cyber-enabled power outage globally, Russian hackers wrenched control of operational networks from three Ukrainian distribution utilities in 2015. The resulting blackout lasted only a few hours, but the playbook the attackers use — first "phishing" targets’ corporate networks, then moving laterally into the control environment — appears to have been replicated in the U.S.-focused campaign.
Tom Alrich, a cybersecurity consultant who closely follows FERC’s cyber regulation program, said it’s not clear whether the federal rules on supply chain vulnerabilities can be effective, or whether U.S. regulators will ever write rules specifically covering "phishing" threats.
In an interview, Alrich said the Russian campaign exposes challenges to the federal cyber regulation of the high-voltage networks. To break into power utilities, the Russian hackers sought out the weakest link by targeting vendors that supply and maintain critical utility equipment or controls, rather than the utilities themselves.
Still, he said in a blog post that the recently disclosed hacking activity hasn’t shown Russian hackers making "significant headway."
"While the utilities need to step up their efforts even further — and they are doing so — there is no need for Americans to lose sleep worrying whether a major cyber attack will bring down the U.S. power grid," Alrich said. "It isn’t going to happen."
DHS officials have similarly offered assurances that the integrity of the U.S. grid was never in danger during the most recent campaign.
Rick Driggers, DHS’s deputy assistant secretary for cybersecurity and communications, said yesterday that "DHS and the FBI found no evidence that the responsible actor — the Russian government — took any steps to threaten to shut down the electric grid.
"While hundreds of energy and non-energy companies were targeted, the incident where Russian government gained access to the industrial control system involved a very small generation asset that would not have impact on the larger grid if taken offline," he said.