O&M

DHS Warning: Russians Probing Deeper into U.S. Power Grid

Russian hackers infiltrated the networks of U.S. electric utilities last year, using conventional phishing techniques and other methods to brush past the companies’ cyber defenses, according to a Wall Street Journal report this week.

The WSJ, citing officials from the U.S. Department of Homeland Security, indicated that hundreds of breaches occurred which could have led to blackouts and other interruptions of the nation’s power grid. No major events shut down utilities, but the move could simply be a probing mission to a larger attack by state-sponsored Russian hacking groups such as Dragonfly or Energetic Bear.

President Trump initially discounted claims that Russia’s government tried to interfere in the 2016 elections—although he later recanted those comments upon returning to the U.S.—but DHS officials apparently confirmed to the WSJ that the hackers gained credentials and access to utility networks. And the effort, experts say, is unrelenting.

Robert Lee, CEO of industrial cyberthreat firm Dragos, applauded Homeland Security for amplifying the threats and intrusions that many companies have experienced and acknowledged earlier. At the same time, Lee hoped that the new reports placed focus and fear in the wrong places.

“This relates to activity already previously communicated to the electric community but highlighting ongoing risk is important,” Lee said. “However, the messaging in the WSJ article around ‘throwing switches’ and causing ‘blackouts’ is misleading on the impact of the targeting that took place.”

In other words, that might just be the beginning.

“What was observed was incredibly concerning but images of imminent blackouts are not representative of what happened,” he said, adding that the probes were “more akin to reconnaissance into sensitive networks.”

Drago’s Lee said the intrusions that occurred into the power utilities were not designed or positioned to cause blackouts.

“The adversary is learning for future attacks but we have no indication of what and when will occur,” he replied. “It’s still a difficult path for the adversary …(but) it’s not as if there are no challenges left for them.”

Earlier this month, the U.S. Treasury Department sanctioned five Russian companies and three individuals for “malign and destabilizing” cyberattacks on the grid. Those include last year’s NotPetya intrusion.

The cyberattack principal actors also provided materials and technological support to Russa’s domestic intelligence agency, the Federal Security Services (FSB). Those companies included Digital Security, ERPScan, Embedi, Kyant Scientific Research Institute and Divetechnoservices.

Four months before the Treasury action, the Department of Homeland Security reported that Russian hackers secured access to critical control systems to U.S. nuclear plants. Nuclear energy accounts for about 20 percent of the U.S. power generation mix.

Some cyber industry experts believe the Russian hackers have deployed bugs lurking within the control technology of the plants which could allow them to manipulate the power system.  The U.S. grid has yet to suffer a major outage due to cyberattack, but that could change as viral capabilities worse than Win32/Industroyer, BlackEnergy and others are developed as malicious tools.

Utility cybersecurity, whether at the power plant or in the transmission and distribution grid, will be key tracks both at the POWER-GEN and DistribuTECH conferences. Power Engineering, POWER-GEN and DistribuTECH are all owned by Clarion Events.