Modern field guide to security and privacy

Hard lessons for Energy Dept., power sector after Ukraine hack

At a Passcode event Thursday, Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall said the unprecedented cyberattack in Ukraine provides valuable lessons for the US power industry. 

|
Michael Bonfigli/The Christian Science Monitor
Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall spoke on May 12 at a Passcode event on protecting the electric grid from cyberattacks.

Four months after malicious hackers infiltrated a Ukraine utility and cut power to some 230,000 people, the US government says it's continuing to learn valuable lessons from the unprecedented cyberattack.

"What happened in Ukraine is an opportunity for us to learn about the kinds of threats that we may face, and to innovate in the face of those threats," said Elizabeth Sherwood-Randall, deputy secretary of the Department of Energy, at a Passcode event Thursday to examine the growing cyberthreat to the electric grid. "Because of the evolving threat environment, we know we need to invest in a safer grid."

The December attack in Ukraine's Ivano-Frankivsk region was certainly a wake-up call for the US power sector. Security experts have long warned that hackers could one day compromise control systems inside utilities and cause power outages. Those concerns were realized in the Ukraine incident, the first confirmed cyberattack to cause a power outage at a utility, and have since led to officials, experts, and lawmakers to call on the industry to do more to safeguard US utilities.

At Passcode's "Guarding the Grid" event (watch the full event here), Tom Fanning, chief executive officer of the utility giant Southern Company, Rep. Will Hurd (R) of Texas, and Robert M. Lee, chief executive officer of the cybersecurity firm Dragos Security, joined Sherwood-Randall to discuss what the US energy sector is doing as a result of the Ukraine attack, and whether it's enough to counter the emerging threats. 

Here are some key takeaways:

1. The US has long been working to combat BlackEnergy malware

US officials and utility executives have known about the threat from BlackEnergy malware, which Mr. Fanning called "one of the major enablers behind the Ukraine attack," for at least two years. In fact, in 2014, Homeland Security reported that it had uncovered a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments" that relied on BlackEnergy. 

"BlackEnergy has been around for a long time," said Fanning. "BlackEnergy was not designed to attack energy. It was originally focused on things like the finance industry," he said. But, he said, "it has a lot of functionality" – comparing it to something akin to a digital "Swiss Army Knife" in the hackers' toolbox. In the case of Ukraine, he said, it probably "allowed people to get in."

But while the Ukraine attack, and the depth of the hackers' penetration into the systems there is unprecedented, Fanning noted that it affected power distribution and not transmission. "An attack on the distribution level would not have the same widespread impact as a successful attack on transmission," he said. "It is by its nature going to be more local and, by it's nature, it is more controllable."

2. Information sharing is critical  – but is it happening fast enough? 

In the weeks after the Ukraine grid hack, as many experts and officials were just beginning to realize the scope of the attack, government agencies such as DHS and DOE remained fairly quiet. The attack occurred on Dec. 23, but it wasn't until Feb. 25 that DHS issued its report publicly confirming the attack and providing more details. 

At Thursday's event, Sherwood-Randall said, "We provided the facts as we understood them. That’s our responsibility, to put out information about threats as we know them."

But security researchers such as Mr. Lee, who traveled to Ukraine after the incident to help investigate the attack, said the government should have moved faster when it came to getting out the necessary information to the public. 

"We've been talking about cyberattacks against infrastructure for a long time," he said. "It's not a new concept." Yet, he said, "I did not like to see that two month gap between announcement of it occurring and a DHS response."

What's more, said Lee, the event was of such a significant scale that " we should have a response," he said. "It’s hard to have a national discussion around threat information sharing ... and then not share things."

But Fanning said that, regardless of the public report, the energy sector had much of the information it needed quickly after the Ukraine attack was first reported. "When Ukraine happened ... we let everyone know what was going on," he said. "We weren't going to be public until we knew everything," he said. "We weren't waiting two months before we took action."

3. There's a narrative problem when talking about grid security

On one hand, many industry executives and government agencies say the US grid is safe, but at the same time US intelligence officials such as Adm. Michael Rogers, head of the National Security Agency, have warned of forthcoming attacks on US utilities.

"There's a national message mix up that's causing confusion for energy companies," said Lee. 

One of the problems may be a lack of understanding when it comes to defining when cyberattacks amount to malicious actions and acts of war, said Representative Hurd of Texas. "What is a digital act of war and what is our countermeasure?" he asked.

"If North Korea launched a missile into San Francisco, we all know how we’d respond.... But is stealing 23 million records from the Office of Personnel Management an act of war?"

Figuring out those issues and determining how the US should respond, he said, is where the conversations need to be happening. 

4. Humans are the biggest cyberthreats – and keys to solving the problem

Like many industries, the energy sector is dealing with a growing rate of cyberattacks and software viruses, but Lee stressed that it's not the malware that's the real danger. It's the human on the other side of the keyboard, he said.

“Software is not the problem. It’s the people," said Lee, but more regulations and security software products aren't the answer to keeping malicious hackers out of utility control systems.

"The only thing that's consistently going to be a win for us is making smart people," he said. "We have to get trained and empowered defenders to counter human threats."

5. So what about these squirrels?

Security researcher and Passcode columnist Space Rogue has pointed out that even with all the talk of cyberattacks on the grid, animals such as squirrels have caused far more damage to the power supply than any hacker. 

As for Fanning, he laughed off the notion of the squirrel threat: "It's no big deal."

This squirrel disagrees:

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Hard lessons for Energy Dept., power sector after Ukraine hack
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0513/Hard-lessons-for-Energy-Dept.-power-sector-after-Ukraine-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe