Following Ukraine's unprecedented cyberattack in December, EnergyWire launched an investigation into the attack and the security gaps that exist across the U.S. power grid. On today's The Cutting Edge, EnergyWire reporter Blake Sobczak gives background on the Ukraine attack and discusses the vulnerabilities it exposed in the United States' own grid security.
Monica Trauzzi: Welcome to The Cutting Edge. Following Ukraine's unprecedented cyberattack in December, EnergyWire launched an investigation into the attack as well as security gaps across the U.S. power grid, and joining me today is EnergyWire reporter Blake Sobczak to talk about this investigative series. Blake, thank you for coming on the show.
Blake Sobczak: Thanks for having me.
Monica Trauzzi: Blake, this four-part series that you've reported on with our colleague Pete Behr is quite eye-opening. Let's backtrack to December when the attack on Ukraine's grid occurred. What do we know now about the days leading up to that attack?
Blake Sobczak: So the day before the attack on December 22nd, both Ukraine and Russia were actually celebrating their Energy Day, which was a chance to celebrate the work of the line workers and the utility employees who keep the lights on in these countries.
It was interesting because Russia's President Vladimir Putin singled out the work being done in Crimea, which if you turn the clock back a few years in 2014, Russia annexed. It's a move that hasn't been recognized by international parties, including the United States, and it's launched Ukraine and Russia into this war that's played out both in Crimea and in the eastern stretches of the country.
Now Ukraine has been accused of cutting power to parts of Crimea in the months leading up to this attack. So many experts see it as a way for Russia to signal to Ukraine that they're not going to put up with that anymore and that they'll show Western Ukraine that they can hit their power supplies.
Monica Trauzzi: The U.S. government is concerned about what the attack means for the U.S.'s grid security. What are the biggest security gaps that you've uncovered?
Blake Sobczak: So even though this played out across the Atlantic in Ukraine, the U.S. is looking at this and seeing this as the first time that remote hackers have taken down a power grid and parts of utilities' distribution networks. So that's led to some questions about how well U.S. utilities are prepared for this.
The answer to that is generally they're working hard to secure their networks to keep them isolated from the internet, but a lot more remains to be done. There are some gaps particularly for smaller utilities. We're now in an era where nation-states such as Russia, China, even the U.S. and other parts of the world are squaring off against small private companies and trying to infiltrate their networks and even cause physical damage as we saw in Ukraine.
So the question you have to ask yourself is if you're a small utility district somewhere in Kansas or somewhere in New York, not to pick on any one state, how well are you going to square up against some of the best hackers in the world that might have state backing.
Monica Trauzzi: So what's the Department of Homeland Security doing?
Blake Sobczak: So the Department of Homeland Security's primary role is that of messenger. They obviously have access to classified information from U.S. intelligence agencies. They can use that and distribute it to utilities or to private entities so that they can know which threats they have to counter and they have to prioritize.
Now in this particular case, the Department of Homeland Security was slow to the game. They didn't actually mention the specifics of the Ukraine attack for two months after it occurred. So it's drawn some criticism of the way that the Department of Homeland Security gets this classified, really important, sometimes technical information out of the government and into the hands who need it most, namely the private utilities and some of these state authorities.
Monica Trauzzi: So this sounds like such a sticky world to navigate. How are utilities responding? Are they prepared? Do they have access to the tools that they need in order to prepare properly?
Blake Sobczak: I think the utility industry as a whole has taken a practice-makes-perfect approach to cybersecurity. They've done a lot of huge exercises recently. Last year there was the GridEx exercise which drew together all the various federal agencies and state authorities with a hand and grid security to rehearse, OK, what would happen if the worst really did occur and if hackers went after the U.S. grid in a big way? That was combined with physical attacks and all sorts of terrible scenarios.
Now utilities can also shore up their networks from a technical standpoint. That was something that maybe took a little bit of time to do after the specific tactics and techniques from the Ukraine case made their way out to the utilities who needed them. So I think that's where some of the pointed criticism of DHS's role, the Department of Homeland Security's role, came in because the utilities who needed these technical indicators weren't necessarily getting them because they were classified as either secret or not yet ready to be distributed.
Monica Trauzzi: Talk a bit about the challenges that you and Pete encountered in reporting for this series.
Blake Sobczak: So whenever you're dealing with something like this which has international implications, obviously the U.S. and Russia aren't on the best of terms these days. There's an ongoing war with Ukraine and Russia. There are a lot of sensitivities and I think there's a lot of desire for secrecy on both sides of the Atlantic here.
The Ukrainians that we spoke to, some of them weren't really keen on rehashing this event that doesn't always cast their country in the best light. It really highlights some of the vulnerabilities that Ukraine's old, Soviet-era grid still has. That the hackers were able to disable it. So I think there was some reticence there.
Meanwhile on the U.S. side, you have U.S. agencies who want to protect this information in case that it gets into the wrong hands. So I think there's sometimes a desire to hold back potentially important information from the public or from utilities out of this fear that somehow the bad guys could use it to cause trouble on the U.S. grid. That's a balance that the U.S. government has to strike.
Of course there's also the worry that revealing too much about the sources or methods used to obtain certain information about an event like this grid attack could divulge some sort of U.S. government secrets that they'd rather not have out in the open.
Monica Trauzzi: This is a fantastic series and wonderful reporting by you and Pete. Thanks for coming on the show.
Blake Sobczak: Thank you very much.
Monica Trauzzi: More Cutting Edge coming next Friday. We'll see you then.
[End of Audio]