This Tuesday morning, computer networks at FirstEnergy Corp. came under attack.
A "denial of service" strike was threatening to flood the energy giant's network with online requests, according to Bennett Gaines, the Ohio-based company's chief information officer and senior vice president for corporate services.
FirstEnergy's firewalls shut out the malicious traffic, Gaines said at a House hearing on cybersecurity for power systems yesterday. Within an hour, technical data about the threat had reached the industry-led Electricity Information Sharing and Analysis Center to be passed along to other utilities.
Data on the attack had also been shared with the U.S. government. But Gaines wasn't holding his breath for it to get out to those who could use it to block certain Internet Protocol addresses or take other defensive actions.
"Twenty-four hours later, I still don't have a response back from the government," he told the House Science Subcommittee on Energy and the Subcommittee on Research and Technology yesterday. "There's a good example of the timeliness of information -- if we could share that information in real time within the industry, think about the potential of being able to collaborate very quickly and take action."
As it stood, Gaines said the hacker or hackers had likely already packed in their servers and "moved on" after seeing their efforts rebuffed.
"I'd venture to say that same actor was scanning other networks, and that same [distributed denial of service] attack was being attempted" on other companies, Gaines said.
The example highlights a pressing problem for the utility industry and other operators of U.S. critical infrastructure: How can firms pass on key cybersecurity information to competitors without running afoul of anti-trust laws, violating customer privacy, or inviting legal or regulatory pushback?
The Cybersecurity Information Sharing Act of 2015 (CISA), introduced by Sen. Richard Burr (R-N.C.) this spring and brought up for debate on the Senate floor Tuesday, is aimed at smoothing out these problems with liability protection and other measures (EnergyWire, Oct. 21). Critics warn that the bill fails to protect privacy and civil liberties, but CISA has won support from FirstEnergy and many others in the electricity industry.
In a recent letter to Senate leadership, several leading utility groups including the Edison Electric Institute and the American Public Power Association came out in favor of CISA, arguing it would "enhance" the work of existing industry sharing services.
"While the electric sector already engages in significant information sharing activities and has in place mandatory and enforceable reliability and cybersecurity standards, there remains an urgent need for the government and industry to better share actionable security information in a timely and confidential manner," the groups wrote in their Aug. 3 letter.
Utilities hoping to share data on cyberthreats with the government are encouraged to work through the Department of Homeland Security, the lead agency for critical infrastructure protection in the United States. DHS-developed information sharing platforms have trickled out to the private sector to boost speed and efficiency with mixed results (EnergyWire, April 21).
A DHS spokesperson did not immediately respond to a request for comment yesterday afternoon. Agency officials have previously called attention to the importance of automated or near-real-time threat information sharing. "We now share cyber threat indicators at machine speed with a pilot group of participants, subject to appropriate privacy guidelines, and expect to begin sharing with and receiving from additional agencies and companies by this fall," said Deputy Homeland Security Secretary Alejandro Mayorkas in a July 31 letter to Sen. Al Franken (D-Minn.).
In the letter, Mayorkas, writing on behalf of DHS Secretary Jeh Johnson, also voiced some reservations about CISA.
"Permitting sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil liberties communities," Mayorkas noted, adding that DHS prefers all private-sector cyberthreat information to flow through the agency's own National Cybersecurity & Communications Integration Center (NCCIC).
Some of CISA's proponents worry that funneling all data through DHS and forcing NCCIC to "scrub" out personally identifiable information could needlessly slow down the speed of threat info sharing. The fate of the bill -- and its nearly two dozen amendments -- could be settled by a vote as early as next week.
As for the indicators tied to Tuesday's failed cyberattack on FirstEnergy? They'll get out eventually, Gaines said.
"To the extent that threat I reported gets communicated, it does get communicated," he said, but "most likely a few months from now, it'll be watered down, and the real sad part of it is, it [won't] have the level of detail to take any action on it."
Like what you see?
We thought you might.
Start a free trial now.