North American grid regulators share the U.S. government's misgivings about Moscow-based cybersecurity company Kaspersky Lab, according to a confidential alert sent to the power sector last year.
On Oct. 5, 2017, the North American Electric Reliability Corp. issued a rare "Level 2" cybersecurity recommendation — one of just three such warnings since 2013 — covering power utilities' potential use of Kaspersky anti-virus software, sources confirmed to E&E News. NERC is responsible for setting and enforcing security rules for the bulk U.S. power grid.
Bill Lawrence, NERC's vice president and chief security officer, said the regulator based its supply chain security alert on dialogue with the departments of Energy and Homeland Security and the Federal Energy Regulatory Commission, the independent federal agency that gets final say over grid security standards.
NERC declined to comment on the contents of the document, which is restricted from public disclosure under the "Traffic Light Protocol."
"The strong information sharing relationships that NERC has between industry and government allow for focused attention on emerging threats, and positively impact NERC's mission of reliability and security of the grid," Lawrence said in a statement.
Patrick Miller, managing partner at Archer Energy Solutions, said he suspects NERC posted the alert in response to a U.S. government order to steer clear of Kaspersky software. On Sept. 13, 2017, DHS issued a "Binding Operational Directive" barring use of Kaspersky products across federal government networks, citing concerns "about the ties between certain Kaspersky officials and Russian intelligence and other government agencies."
The DHS directive kicked off an ongoing debate about the security of Kaspersky products and whether the company's roots in Russia posed a special risk compared with suppliers from other countries that often clash with the U.S. government.
"It's interesting that it was only Kaspersky: Why just one country [Russia], when other countries and other products have also been labeled security issues?" Miller said. "And if we can't buy products that are sourced in conflict countries, what is that going to do to the cost of our infrastructure?"
Miller spoke earlier this month at a Kaspersky-sponsored control system security event in Sochi, Russia, that also featured former U.S. government officials, including the onetime head of DHS's top industrial control system protection unit.
For its part, Kaspersky has battled the directive and subsequent provisions barring use of its products in the fiscal 2018 defense reauthorization bill, even taking DHS to court. The company announced in May it would move key data centers to Switzerland to assuage fears about snooping from Russian intelligence agencies.
The company said in a statement yesterday that it was aiming to address the core concerns outlined in the DHS directive, "as the false assumptions that underpin those actions have led to the development of other similar recommendations, such as the NERC alert."
Kaspersky pointed out that its in-house Industrial Control Systems Cyber Emergency Response Team "devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and provides vulnerability information to vendors and organizations, such as the U.S. DHS."
NERC's warning was a striking market setback for Kaspersky, a company that as recently as 2016 advertised its ability to help U.S. electric utilities meet NERC's exacting Critical Infrastructure Protection cybersecurity standards.
"The company is poised to have another strong year due to its advanced endpoint products and innovative security solutions," Kaspersky said in an April 2016 statement. "Our new Kaspersky Industrial Cybersecurity solution includes the software products and security services (including security training, incident response, etc.) that help companies effectively cover organizational issues to comply with NERC CIP."
Kaspersky noted at the time that CIP standards do not provide specific technical requirements for cybersecurity software.
That holds true today, lest NERC be accused of suppressing competition. But the regulator's Oct. 5 recommendation, dispatched to companies spanning power generation, transmission and distribution, effectively dashed Kaspersky's ambitions in the U.S. grid, according to multiple sources in the control system community who spoke on condition of anonymity to discuss a sensitive topic.
The news outside Kaspersky's headquarters didn't help matters: Beginning in 2016, Russian intelligence agents ramped up a coordinated hacking campaign targeting U.S. Democratic political organizations ahead of the fall presidential election.
The following year, another Russia-linked hacking campaign put U.S. nuclear power plants, grid operators and other critical infrastructure systems in the crosshairs, sounding alarm bells at DHS and NERC (Energywire, June 27, 2017).
DHS has raised the prospect of Russian spy agencies applying pressure to Kaspersky at some point in the future.
"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," DHS said in its directive last September.
Rather than draft a risk mitigation plan and continue using Kaspersky, at least one large power company and an industrial automation firm turned away from the Moscow-based firm, sources say.
Miller said Kaspersky "is doing some really good things" in the industrial control system space, though he said he does not expect the company to make inroads in U.S. critical infrastructure in the near future. "The optics are too bad," he said.
Kaspersky's defenders have pointed to the vagueness of the U.S. government's warnings, which have failed to identify any specific vulnerability in Kaspersky products.
Several European government agencies and infrastructure operators continue to use Kaspersky, though authorities in the United Kingdom pledged last year to review their business with the company and urged agencies housing "secret" information to steer clear of Russia-based cybersecurity providers.
Kaspersky's core software products count on privileged access to customers' computers. Much like other anti-virus products, such as Windows Defender or Symantec Endpoint Protection, Kaspersky Anti-Virus scans files, flags anything suspicious and, on internet-connected computers, beacons back to Kaspersky servers both to upload newly identified malware samples and to download the latest signatures and software updates.
In perhaps the most concrete security breach tied to the Kaspersky brand, a National Security Agency employee using the software product on a home computer lost control of highly classified U.S. government hacking tools, The Wall Street Journal reported. Citing U.S. intelligence sources, the Journal reported that Russian cyber spies were able to exploit the Kaspersky connection to siphon off reams of secret data.
The NSA employee was later identified as Nghia Hoang Pho, a 68-year-old Maryland resident who started working for NSA's elite hacking unit, Tailored Access Operations, in 2006.
Pho, a U.S. citizen who was born in Vietnam, pleaded guilty last year to unlawfully keeping classified information at home over a five-year period starting in 2010. He was sentenced to 5 ½ years in prison Tuesday.
"Pho compromised some of our country's most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost," U.S. Attorney Robert Hur said in a statement.
Kaspersky addressed the episode head-on in a blog post last October, saying that the company has "never" helped cyber spies or military intelligence.
"It sounds like this contractor decided to work on a cyberweapon from home, and our antivirus detected it," Kaspersky said. "What a surprise!"