NEW YORK — A wind power generator fell into Russia-linked hackers' crosshairs last year, but the attackers never managed to put the wider U.S. grid at risk, officials confirmed yesterday at a Department of Homeland Security cybersecurity conference here.
Tom Fanning, CEO of utility Southern Co., said the hackers' reach appears to have been "very limited" — perhaps just "one or two wind turbines" at an undisclosed power company.
"Could Putin take down the grid today? I don't think so," Fanning told reporters on the sidelines of the DHS National Cybersecurity Summit in New York. "Is [cybersecurity] something that's urgent and that we're paying attention to? Absolutely."
The 2017 hacking campaign set off alarm bells last summer for its apparent focus on nuclear power plants and electric utilities, among other vital American companies.
This March, DHS and the FBI linked the series of intrusions to the Russian government. The agencies shared a redacted image of a power generation system the foreign spies had managed to compromise.
Last week, the agency kicked off a series of briefings aimed at spreading the word about the hackers' techniques.
"They got to the point that they could turn the switches, but they didn't," said Jonathan Homer, chief of the industrial control systems group at DHS's Hunt and Incident Response Team, during the first briefing on July 23. The last of four unclassified webinars is scheduled for today at 1 p.m.
Homer's stark warnings that the hackers had targeted companies across the U.S. generation, transmission and distribution grid turned heads in the cybersecurity community, prompting DHS officials to offer additional details about the secretive campaign.
"In the initial webinar, I think there was some context that was lacking," said Christopher Krebs, undersecretary for DHS's National Protection and Programs Directorate, the main federal office tasked with helping critical infrastructure operators fend off hackers. "That was a very targeted threat at the electricity subsector; for the most part, the defenses across the system worked."
Krebs noted that the hackers managed to reach the controls at "a renewable source of energy that would not disrupt the grid." The Russian government has denied involvement.
While DHS alerts have cast the threat as "ongoing," Jeanette Manfra, assistant secretary for cybersecurity and communications at the agency, pointed out that her office has not received word of any additional compromises since the briefings began late last month.
"It's solely about taking what we saw happen last year and helping people understand," she said of the outreach effort. "It's not indicative of another significant threat or anything like that."
CRISP kicks in
DHS officials unveiled a new National Risk Management Center yesterday aimed at getting the word out about future threats to the energy, telecommunications and financial sectors (see related story).
The center builds on information sharing and analysis efforts at other agencies, including the Department of Energy, which runs the Cybersecurity Risk Information Sharing Program in conjunction with the private sector.
Energy Secretary Rick Perry said yesterday that his agency is aiming this year to double the number of electric utilities participating in the CRISP program, which sets monitoring devices on the edge of utilities' networks to amass reams of operational data. Analysts can later comb through the information for strange behavior that could precede a cyberattack.
"It was due to that close collaboration that we were able to identify a very dramatic event last year — that Russian intrusion into our energy systems," Perry said.
Had CRISP not been in place, Perry continued, the threat likely wouldn't have been discovered, "to great detriment."
Fanning, who serves as one of the power sector's primary liaisons with the federal government as co-chair of the Electricity Subsector Coordinating Council, estimated that 80 percent of U.S. electricity consumers are covered by utilities that have already joined the CRISP program.
He welcomed DHS and DOE's efforts to bring other critical infrastructure leaders around the table with power providers at the new National Risk Management Center.
He said recent cross-sector cybersecurity exercises have highlighted the need to work closely with other critical infrastructure areas, including financial and telecommunications firms.
"One of the things that we learn very quickly [in exercises] is that as resilient as we think we may be, the points of vulnerability are always our points of intersection," Fanning said.