San Antonio’s CPS Energy guards against 94,000 attempted cyberattacks per day
CPS Energy withstands roughly 94,000 attempted cyberattacks a day as hackers in China, Russia and elsewhere scour its network for weaknesses to try to infiltrate the city-owned utility and disrupt power supplies in Texas.
“We can’t take this lightly, and we are not arrogant about this, our protection level,” Fred Bonewell, CPS’ chief safety and security officer, said at the utility’s headquarters Monday. “We thwart the vast majority of those. And those that have gotten through, which are very few, we have been able to quarantine and isolate so that it does not impact our systems.”
The utility is taking every precaution, Bonewell said, and cybercriminals have had little luck actually getting into the system. Since 2015, three hackers were able to infiltrate CPS’ network, and all were quickly quarantined and removed from the system, he said.
The utility has bolstered its IT team over the past 18 months with specialists from the National Security Agency and Secret Service to help head off attacks and identify vulnerabilities. Officials with the Department of Homeland Security, in town for a site visit this week, regularly test and review CPS’ computer and security systems.
The Department of Energy warned in January that new technology like the more than 500,000 smart meters CPS has installed across the city over the past few years are attractive targets for hackers and can be used to “cut-off communication, cause physical damage, or more, and disconnect large numbers of customers to disrupt the grid.”
A June 27 cyberattack called NotPetya hit organizations around the world, including freight shipper Maersk and the Chernobyl nuclear power plant, which had to switch to manual radiation monitoring.
In most cases opening the door to a cyberattack can come down to a single click of the mouse. Hackers often gain entry by sending emails to an organization’s employees with an infected file attached or impersonating someone requesting credentials. Known as a spear fishing attack, it can provide hackers the credentials they need to directly access a system or can deliver malware that can easily infiltrate a network from the inside.
“If you send it to 1,000 people and only one person clicks, that’s all you need to get that initial toehold in,” Mark Bristol, deputy division director for the Hunt and Incident Response Team at the National Cybersecurity and Communications Integration Center, said by phone. “Hackers can count on that one click.”
That one click likely led to at least the first of two cyberattacks that hit Ukraine’s power grid system in 2015 and again in 2016, turning off dozens of power substations and knocking out power to hundreds of thousands of customers when hackers infected a control system.
In 2016 a more sophisticated and modular malware, dubbed “CRASHOVERRIDE” by Washington, D.C.-based cybersecurity firm Dragos Inc., took out power to a portion of Kiev, Ukraine’s capital. In a report on the incident, Dragos described CRASHOVERRIDE as “the first ever malware framework designed and deployed to attack electric grids.”
Dragos senior threat hunter Dan Gunter, who’s based in the company’s satellite office in San Antonio, said the two Ukraine attacks “belong to the same family of actors” but said between the 2015 and 2016 attacks “there was a big jump.”
“In 2015 a lot of it was human-driven, so it was human intensive, and in 2016 they actually put down a little more technology that potentially allowed them to automate it a bit more and get the human a little farther out of the loop,” he said.
Rather than having someone sitting at a computer remotely typing in commands and moving a mouse, as was likely done in 2015, CRASHOVERRIDE was able to act more autonomously and wreak havoc on its own when it hit Ukraine’s power grid in 2016.