Adversaries are successfully gaining intelligence to sabotage the U.S. power grid but remain far away from actually pulling off a wholesale attack, according to cybersecurity and energy experts.
The Trump administration on Thursday for the first time publicly accused Russia of targeting the U.S. power grid with cyberattacks.
“Since at least March 2016, Russian government cyber actors targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” the FBI and Department of Homeland Security said in a joint statement.
The U.S. government says Russian hackers compromised energy operators in North America and Europe by copying information of machinery and descriptions of how they operate, which could be used to shut down power plants.
“This seems to be part of a collection of data points on a continuing game of cat and mouse,” said Jon Wellinghoff, a former chairman of the Federal Energy Regulatory Commission, in an interview with the Washington Examiner.
“We have seen some of these activities for many years, with phishing expeditions and other activities that allowed adversaries to gather information. They didn’t impair the functioning of any data systems, or have not done so to this point. But I continue to be concerned about how much information these bad actors are accumulating. Whether the accumulated information can become some critical mass that will allow them to perpetrate an event that can compromise our equipment, I don’t know.”
The government has known about the Russian attacks, known as “Dragonfly,” for more than a year, but had kept details classified and had been hesitant to name Russia as the force behind them.
Cybersecurity company Symantec Corporation issued a report about Dragonfly in October. Symantec said a Russian hacking entity “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”
Symantec blamed the Dragonfly hackers for attacking Ukraine’s power grid in late 2015, which led to a hours-long power outage in the country and was the first successful attack of a power grid.
Sergio Caltagirone, the director of threat intelligence at Dragos, which creates tools to protect industrial control systems, said he doesn’t believe Russia intends to shut down the U.S. power grid. But he says the complexity of civil industrial infrastructure could allow for a bad actor to create havoc by simply accessing the network.
“The most concerning thing with anyone operating within these networks is there could be unintended consequences that can have disruptive effects,” Caltagirone told the Washington Examiner. “That is what people should be concerned about, not Russia taking the power grid down. Because that would be considered an act of war if done intentionally.”
U.S. officials say there is no evidence hackers have been able to break the networks that control operations at power plants.
“At this time, NERC’s Electricity Information Sharing and Analysis Center has no reported cyber or physical security threats impacting the operations or reliability of the bulk power system in North America,” said Bill Lawrence, the director of E-ISAC, a body of the North American Reliability Corporation that serves as the primary security communications channel for the electricity sector.
But policymakers and experts worry the U.S. lacks a strategy to combat the possibility.
After the government issued its alert Thursday, Energy Secretary Rick Perry warned members of a House Appropriations subcommittee that he’s “not confident” the government has an appropriate strategy to combat “hundreds of thousands” of cybersecurity attacks directed at the U.S. every day. Perry plans to create a cybersecurity office.
Caltagirone says the federal government has been slow to address what was a “theoretical threat” just a few years ago.
“It’s very hard to get organizations to invest money into theoretical threats,” he said. “It was only one to two-and-a-half years ago that we realized what was theory is now real. I do expect things to get better, but there is a natural lag in that process.”
He says countries are engaged in a cyber “arms race” that began when the U.S. under the Obama administration waged attacks against computer systems that helped run Iran’s nuclear program, an operation known as Stuxnet.
Governments must establish clear rules about what is not acceptable in cyberspace, he said.
“There needs to be established norms of behavior that adversaries should not be able to operate at all within civilian critical infrastructure and industrial controls, and the world community needs to make that clear,” Caltagirone said. “There needs to be a true political deterrence to doing this.”
Until that happens, experts say policymakers should shore up the power grid.
The grid is already somewhat protected from wholesale hacking because of its disconnected nature. But the grid is becoming — and can become — more disconnected, with the creation of microgrids.
Microgrids are free-standing power grids separated from the main system that can protect against outages caused by extreme weather or even cyberattacks.
“The way our system is set up now, and the way it continues to evolve and change, it’s getting more secure, and it’s getting more distributed,” Wellinghoff said. “Because of severe climate events, people are starting to put in their own systems — generators, solar on roofs, and battery storage — and all those things will make the system more resilient.”
