Cyberattacks Raise
Alarm for U.S. Power Grid
By Rebecca Smith (Wall Street Journal)
Dec. 30, 2016 12:58 p.m. ET
Experts believe
Russian hackers linked to the DNC breach are also behind attacks on utilities
in Ukraine and U.S., leaving domestic power grid exposed
Cyberattacks that have knocked out electric utilities in
Ukraine, including one suspected hack earlier this month, have renewed concern
that computer criminals could take down portions of the U.S. power grid.
That fear was underscored this week when senior
administration officials said that teams of Russian hackers have “targeted
critical infrastructure even beyond what they did” with political organizations
in an attempt to interfere in the U.S. presidential
election.
The Obama administration on Thursday announced sanctions
that include expelling about three dozen Russians. Meanwhile, the FBI and
Homeland Security said in a report that malicious Russian cybercampaigns
continued after the election and a senior official said
“Russia is not going to stop.”
A team of Russian hackers that has been linked to this
year’s cyberbreach of the Democratic National Committee was also behind a
successful attack in 2015 on three different utilities in Ukraine that caused
unprecedented blackouts, according to government and independent security
experts.
The same group is thought by those experts to be behind
successful cyberattacks on several U.S. energy companies in 2014 that gave the
hackers access to company industrial control networks.
In mid-December, Ukraine’s capital city of Kiev suffered
another partial power outage when a high-voltage electric substation turned off
under suspicious circumstances.
“We’re 99% sure that it was a hacker,” said Vsevolod Kovalchuk, chief executive of Ukrenergo,
the utility that operates the backbone of Ukraine’s power transmission network.
Shortly before midnight on December 17, someone started
disconnecting circuit breakers through remote means until the electrical
substation was completely disabled, Mr. Kovalchuk said.
Utility employees re-energized the substation by manually
restoring equipment to their “on” positions.
Substations are linchpins in all power grids because they control voltage
levels and direct the flow of electricity down power lines.
Mr. Kovalchuk said he believes the latest attack was well
planned because the targeted substation is one of the utility’s most automated.
An official investigation could take another week but should identify the
perpetrator and malware, he said.
American officials believe a cyber-campaign against the U.S.
energy industry in 2014 resulted in at least 17 companies’ systems being
penetrated, including four electric utilities. Their identities aren’t publicly
known. The U.S. power grid is a gigantic system of interconnected electric
networks, which means successfully taking down one or more utilities could destabilize
larger areas of the grid.
The U.S. Department of Homeland Security has said the
attackers in the 2014 blitz were able to steal data and gain private network
access, which could allow them to remotely adjust equipment settings.
A recent report by FireEye, a Silicon Valley cybersecurity
company, said the Russian group has evolved its malware to use “flexible and
lasting platforms indicative of plans for long-term use.”
Russia’s embassy press office in Washington, D.C. didn’t
respond to requests for comment, but in the past officials have denied state
involvement in hacking.
A series of equipment failures and unexplained attacks have
exposed the vulnerabilities of the U.S. electrical grid. Keith Cloud, head of
security for the Western Area Power Administration, which controls portions of
the grid in 15 states, says he doesn’t receive enough funding to secure his
substations. Video: Gabe Johnson/WSJ. Photo Mark Paterman
for The Wall Street Journal (Originally published July 13, 2016)
Frank Cilluffo, a former homeland
security adviser during the George W. Bush administration, said such brazen
attacks signal a cyber Cold War has broken out. “We need to raise the cost and
consequence” of these acts, he said.
Officials at the
Department of Homeland Security declined to comment beyond Thursday’s briefing.
The team that is believed to have attacked U.S. and
Ukrainian energy companies used malware dubbed BlackEnergy,
which functioned like a propped-open door that allowed them to conduct lengthy
reconnaissance.
“Russia is the most capable cybersecurity adversary we
have,” said Keith Smith, vice president of threat intelligence at Root9B, a
network security company. “They penetrated the DNC with a module strikingly
similar to BlackEnergy.”
U.S. officials believe the cyberattack of Ukraine’s power
grid started in March 2015 as a “spear-phishing” foray in which emails to
utility employees appeared to contain information on military mobilization.
Workers who clicked on boxes to “enable macros” infected their computers with
the malware. Once the hackers established a beachhead, they prowled around
company networks and eventually stole the credentials needed to gain access to
utilities’ operations.
For nine months, the hackers studied the Ukrainian electric
system. When the attack finally happened on December 23, 2015, hackers remotely
took control of three of Ukraine’s 30 power distribution utilities within a
half-hour. During the attack, the first time that power systems had been
blacked out through cyber means, control room engineers sat helplessly as
ghostly hands moved cursors across their computer screens, opening circuit
breakers at 50 substations and shutting off electricity to about 700,000
people.
The team then used another kind of malware called KillDisk to erase critical automation software, so
utilities had to dispatch crews to each substation to manually restore
equipment. Electricity was mostly flowing again about six hours after the
hackers withdrew, but for months the utilities had to limp along without normal
automation.
It could have been far worse. Had the attackers opened and
closed breakers rapidly and randomly it could have caused lasting damage and
resulted in lengthy blackouts, said Joe Weiss, an industrial security expert at
Applied Control Solutions LLC.
“Think six months and not six hours,” he said.
Michael Assante, a member of a fact-finding team that
studied the attacks in Ukraine, said it is a fallacy to think the U.S. could
repel a similarly sophisticated assault. In fact, heavier reliance on
automation makes the U.S. electric system harder to completely restore once
knocked out, he said.
“The same tactics used in Ukraine would absolutely cause a
problem here,” said Mr. Assante, a former chief security officer for Ohio
utility American Electric Power Co., who now works for SANS Institute, a
security consulting firm.
Sen. Angus King (I-Maine) is sponsoring federal legislation
that would require utilities to have manual-control capabilities.
“The next Pearl Harbor will be cyber,” he said. “It’s a
cheap way to attack. No bombers or submarines needed.”
U.S. officials say it is possible that malware, including BlackEnergy, still lurks in American utility networks.
There is no federal requirement that it be rooted out.
Gerry Cauley, president of the
North American Electric Reliability Corp., which writes security standards for
the power industry, said more teams of hackers that appear to be sponsored by
foreign governments are trying to penetrate the U.S. power grid.
“There have been instances of BlackEnergy
and mapping of networks,” he said. “But they’re working in a big ocean and
might have mapped one coral reef.”
Small comfort, say some experts.
Many fear the malware is already positioned and
waiting to be activated.
Mr. Smith of Root9B said it is speculative to assume the
Russians want to shut down the U.S. power grid. But if relations between the
countries break down, he said, “I don’t see anything that would stop them.”
Write to Rebecca Smith
at rebecca.smith@wsj.com
Appeared in the December 31, 2016, print edition as 'Fears Over U.S. Power Grid.'
RELATED
·
How a U.S. Utility Got Hacked
·
Experts Cite Link Between DNC Hacks and
Aggression Against Ukraine (Dec. 22)
·
Ukraine: Cyberwar’s Hottest Front (Nov. 2015)
·
How Russian Spy Games Are Sabotaging Ukraine’s
Intelligence Agency (March 2015)