How long can the U.S. keep hackers at bay and the lights on?
WASHINGTON – After it came to light this summer that hackers had infiltrated the computer networks of two U.S. power companies – at a time the country was still reeling from Russian cyberattacks aimed at influencing the 2016 election – the possibility of hackers taking down the U.S. power grid and sending the nation into chaos suddenly seemed a very real possibility.
The companies pledged there was no danger. Senators called hearings and wrote letters to the White House demanding to know what it was doing about it.
But to the teams of cybersecurity analysts charged with protecting the world’s industries from a rapidly evolving deluge of malware, viruses and other tools of the hacker trade, it was just the latest in an escalating cyberwar against power grids and other critical infrastructure around the globe.
“The message that I’d like to communicate, intrusions, spear-phishing and other (hacking attacks),” said Mark Bristow, deputy division director of the Department of Homeland Security’s Hunt and Incident Response Team. “It happens every day.”
The foundation around which the U.S. economy runs, the power grid makes an intriguing target for hackers – whether it’s foreign governments, criminals looking for a big payday or hackers just seeing what mischief they can cause. And as attempts to infiltrate computer networks that control the grid and other industrial systems escalate, cybersecurity experts and some government officials are increasingly concerned that a large-scale, well-financed and coordinated cyberattack is coming, risking the sort of widespread blackouts that hit Ukraine in 2015 after hackers broke into the systems of three power plants.
With a refinery that could be vulnerable to hackers behind it, a ship navigates through Buffalo Bayou heading to the Houston Ship Channel earlier this year. Energy industry’s controls provide an alluring target for With a refinery that could be vulnerable to hackers behind it, a ship navigates through Buffalo Bayou heading to the Houston Ship Channel earlier this year. Hackers increase attacks on energy sector computers FILE – In this Thursday, March 20, 2014, file photo, Christopher David uses a Robocoin kiosk to sell bitcoins outside of the 500 Startups’ Bitcoinference in Mountain View, Calif. Bitcoin, the digital currency, is the payment of choice for HBOÂs cyberattackers. Bitcoin allows people to buy goods and services and exchange money without involving banks, credit card issuers or other third parties. It remains relatively little used, but holds big appeal for tech enthusiasts, speculators and criminals. (AP Photo/Jeff Chiu, File) Why HBO hackers demanded payment in bitcoin FILE – This Monday, May 15, 2017, file photo shows British IT expert Marcus Hutchins, branded a hero for slowing down the WannaCry global cyberattack, during an interview in Ilfracombe, England. On Friday, Aug. 4, 2017, a computer law expert described the evidence so far presented to justify Hutchins’ arrest in Las Vegas earlier in the week for allegedly creating and selling malicious banking software, as being problematic. (AP Photo/Frank Augstein, File) U.S. arrests British cybersecurity researcher who tackled Stan Stanart, Harris County County Clerk, talks about the prototypes of a swiveling iPad stand that will hold an electronic poll book at polling sites shown in his office at 201 Caroline Wednesday, Jan. 13, 2016, in Houston. Stanart questions Russian hacking claims, says elections secure Secretary of State Rex Tillerson seemed to insist that Russia return Crimea to Ukraine. Tillerson talks tough on Russia in visit to Ukraine Cyberattack’s fallout lingers as nations mull self-defense
Last year, members of DHS’ Industrial Control Systems Cyber Emergency Response Team recorded 290 cases of hackers gaining access to systems at everything from power plants to telecommunications systems. Considering companies are not required to report such incidents unless they lose control of critical infrastructure – to date something that has never been publicly reported in the United States – that number is likely far lower than the reality. Still, it represented more than twice as many incidents as were reported in 2011.
“What the electric industry folks tell me is, ‘We lay awake at home every night thinking about this,’ ” said a former top energy official in the Obama administration, who declined to be identified because those conversations were private. “Someone from one of the nation’s largest utilities, and I can’t say who, told me they had hackers trying to get into their system 3,000 times a day.”
The break-ins disclosed by Burlington Electric in Vermont and the Wolf Creek Nuclear Operating Co. of Kansas – which the companies maintain did not breach the networks that control the grid – have begun to raise debate in Washington over whether the government is doing enough. Federal authority over the power grid essentially stops where transmission lines end, leaving security over the vast complex of neighborhood power lines, transformers, smart meters and other digital controls largely to utilities and power generators.
That has left the grid a technological patchwork, with some companies failing to meet the elemental standards for cybersecurity, nearly a dozen government and private-sector experts said.
A worker prepares to install solar panels on a house in Katy. Solar industry clashes over imports at trade hearing Transocean to buy Songa Offshore as struggling sector A man window shops outside Kids Club Friday, Dec. 16, 2016 in downtown McAllen. Store owners in border towns such as McAllen depend on shoppers from Mexico. ( Michael Ciaglo / Houston Chronicle ) In Texas, shine of NAFTA dulls There are still 30 million good jobs that don’t require a college bachelor’s degree, and people in them earn an average of $55,000 a year, according to a new study.
Why a four-year college degree isn’t the only path to a secure FILE – In this Feb. 9, 2015, file photo, Roger Ailes attends a special screening of “Kingsman: The Secret Service” in New York. The death of the Fox News founder has left questions about how it could impact the backlog of lawsuits accusing his network of sexual harassment and racial discrimination. (Photo by Charles Sykes/Invision/AP, File) 21st Century Fox has paid out $50 million to settle harassment The Motley Fool: What are mortgage points?
“Something needs to change because right now we’re sitting ducks,” said Sujeet Shenoi, a computer science professor at the University of Tulsa who trains students for cybersecurity careers with the National Security Agency, FBI and other intelligence and law enforcement agencies.
Where once countries fought over land and waterways, the ability to control and protect the world’s digital systems is fast becoming a new arms race. In countries like Israel, Shenoi said, cybersecurity standards for power grids, pipelines, telecommunications and other vital systems are set by the government’s intelligence and security officials. And in leaving it in the hands of the private sector, he warned, the U.S. is falling behind.
Cyberttack in Ukraine
The cautionary tale is Ukraine, where in late 2015 operators at electric utilities watched helplessly as hackers took control of their systems, shutting down one breaker after another, knocking out power to some 230,000 customers for up to six hours. In the aftermath, a team from the U.S. Department of Homeland Security investigated the attack, finding the Ukrainians did not have basic cyberdefenses in place.
Computer systems that controlled the grid were not properly separated from those handling emails and other information technology functions, providing hackers easier access to the networks, the U.S. investigators discovered. On top of that, the Ukraine network was not using the latest techniques to verify users trying to log in from outside.
The U.S. grid is widely described as considerably more advanced those in Eastern Europe, but some of those same security failures in Ukraine could very well be found here, said Homeland Security’s Bristow, who was part of the team that traveled to Ukraine.