Last summer, Canadian intelligence officials warned power companies about a menacing cyberthreat to the grid — more than two weeks ahead of their U.S. counterparts.
Hackers had hijacked energy-related websites and were emailing fake resumes to slip past the defenses of electric utilities across North America.
The June 10 bulletin prompted Canadian companies to play cyber defense, blocking employee access to compromised websites while keeping a wary eye out for documents from a fictitious control systems engineer named "Jon Patrick."
Meanwhile, many of their U.S. peers were left in the dark about the hacking campaign for another 17 days, until a series of nonpublic alerts from the North American Electric Reliability Corp., the Department of Homeland Security and the FBI on June 28.
Experts say the lag time could have allowed the hackers, who were later linked to Russian intelligence services, to claim additional victims in the U.S. power sector. The malicious activity dates back to at least 2016, and in at least one case, attackers were able to reach the control system of a U.S. power generator, according to DHS officials.
"The threat actor had a level of access to be able to cause change, to be able to cause impact to the physical elements of this control system," Jonathan Homer, chief of the industrial control systems group at DHS's Hunt and Incident Response Team, said during a webinar Monday, the first in a series of DHS briefings aimed at heading off ongoing attempts to compromise U.S. infrastructure (Energywire, July 24). "They got to the point that they could turn the switches, but they didn't."
On May 30 last year, an employee at a South Dakota-based energy company opened a malicious attachment after receiving a "Jon Patrick"-themed phishing email, based on a nonpublic alert issued last summer and obtained by E&E News. The organization was one of the first confirmed targets of a multifaceted campaign that also took aim at nuclear power plant operators and aviation and manufacturing companies, among others.
On May 31, a member of NERC, the Electricity Information Sharing and Analysis Center (E-ISAC), reported receiving phishing emails tied to the malicious campaign, according to another alert marked "For Official Use Only."
The hacking blitz had begun. Thirty more days would pass before NERC would publish a detailed document warning of an "Advanced Persistent Threat Actor Targeting Electric Industry and Other Critical Sectors."
"In this particular [threat], the speed with which the information got to owners and operators made a huge difference," said Francis Bradley, chief operating officer of the Canadian Electricity Association, citing the "complexity" of the campaign.
He said he was surprised to encounter E-ISAC's initial warning more than two weeks after Canadian officials got the word out.
"My first though was, 'Oh! Another one,' until we looked at the [indicators of compromise]," he said. "We were not aware that the information was not being shared directly with owner-operators in the U.S."
In a statement, NERC spokeswoman Kimberly Mielcarek said that the grid overseer is "working with our Canadian partners to work through limitations that currently prevent them from sharing some information with the E-ISAC."
She added that E-ISAC is in the first year of a long-term strategy to hone its capabilities and will continue to work with various groups to "more rapidly share cyber and physical security information to help defend the North American grid."
Grid authorities at NERC have proposed boosting funds for information sharing by more than 25 percent next year, to $27.4 million. E-ISAC plans to add round-the-clock staffing to analyze cyberthreats and more quickly spread the word about future hacking campaigns (Energywire, June 6).
Industry sources say E-ISAC has encountered growing pains on its path to greater relevance. Last year, NERC's chief security officer, Marcus Sachs, stepped down from the organization suddenly, amid questions about the future direction of the sharing hub, sources say (Energywire, Nov. 28, 2017).
Earlier this week, regulators at the Federal Energy Regulatory Commission directed NERC to draft new cybersecurity reporting requirements for large electric utilities, citing concerns that the current trickle of information understates the potential scope of the cyberthreat to the grid.
"They call it 'information sharing' for a reason. Sharing is voluntary," noted Patrick Miller, managing partner for Archer Energy Solutions. "What E-ISAC and the current [critical infrastructure protection] regulations do isn't sharing. It's required reporting. There's big difference."
Miller has advocated for severing any ties between E-ISAC and regulators at NERC, enabling the utility industry to report cybersecurity breaches or attempted intrusions to a third party unaffiliated with enforceable security rules. For years, the aviation sector has followed this approach, reporting safety incidents and near-misses through a confidential portal at NASA rather than the Federal Aviation Administration.
"E-ISAC is incredibly slow," Miller said. "The main reason no one reports to E-ISAC is they don't see any real value in it. If they got more out of it, they'd report more of the 'voluntary' data."
U.S. utilities and industry groups have generally supported NERC's long-term strategy for E-ISAC.
But Canadian power system operators, which pay to support NERC's activities but do not always use its Washington, D.C.-based ISAC, have filed complaints about the center's effectiveness.
Ontario's Independent Electricity System Operator cried foul over NERC's proposed 2019 budget in recent comments, saying that "the E-ISAC has not provided vital cybersecurity event information in a timely enough manner to effectively mitigate threats to the reliability of Ontario's electricity system."
"For example, Canadian entities learned in 2017 of a threat targeting the North American energy sector through the Canadian Cyber Incident [Response] Centre 17 days before US entities were notified through the E-ISAC," the Canadian grid operator said.
Canada's CCIRC declined comment on the case, noting that "the department does not comment on whether reports have been received on specific incidents, details of reports that are received, nor does it comment on specific threat actors."
Delays at E-ISAC can stem from a lengthy NERC oversight and review process, sources say. But the response to new cyberthreats can vary based on circumstances outside the grid monitor's control.
"Seventeen days — really, that's pretty good," said one industry source who requested anonymity to speak candidly about E-ISAC. "There's a lot of structure in place for NERC alerts. They could have known about [the threat] in classified settings for quite a while, and until it became public, there wasn't a whole lot that could be done."
Classification issues may have played a role in the run-up to last year's alerts about Russian hacking activity. The hackers targeted the U.S. nuclear power industry with a string of phishing emails and compromised "watering hole" sites. Though they aren't known to have succeeded in breaching any operational systems, the effort earned the campaign the secret nickname "Nuclear 17."
E&E News first reported the existence of that threat on June 27 — one day before NERC, DHS and the FBI first issued unclassified warnings to industry (Energywire, June 27).
E-ISAC and various government agencies followed up that reporting with additional context, technical indicators and, as of this March, attribution to Russian intelligence agencies (Energywire, March 16). Russian President Vladimir Putin has denied directing any cyber meddling in U.S. infrastructure networks.
Cybersecurity experts say the campaign has largely scaled back its activity in 2018, though DHS has continued to warn organizations.
"Given the concern we had around this activity, [we thought] that it was important to raise awareness more broadly, so that others could defend against this," Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, said yesterday.
The attackers' interest in control systems that underpin the power grid set off alarm bells among DHS officials and grid security specialists. The allegedly Russia-backed hackers used publicly available tools, like Mimikatz, to circumvent security measures on Windows computers.
Researchers say the campaign also relied on a "clever" technique to steal usernames and passwords, by luring computers into attempting to authenticate a connection to an attacker-controlled server, giving up a garbled version of victims' credentials in the process. That "hashed" login info could later be decoded with enough computing power or even used in its scrambled form to crack into certain networks.
For all their craftiness, the hackers never made the leap from spying to sabotage, according to U.S. officials.
"In this case, the Russians were not able to achieve any significant goals in terms of disrupting infrastructure," Manfra said. "While they were in a position to be able to manipulate some systems, this wasn't a broader threat to our entire electric grid."