A “cyber event” interrupted grid operations in parts of the western United States in early March, but the hack was just disclosed to the public a few days ago.
The attack marked a somber milestone for the US power sector: the unnamed utility company is the first to report a malicious event that disrupted grid operations.
“According to a cryptic report posted by the Department of Energy, the March 5 incident lasted from 9 a.m. until nearly 7 p.m. but didn’t lead to a power outage, based on a brief summary of the electric disturbance report filed by the victim utility,” E&E News reported on April 30.
Authorities don’t know the source of the cyber event.
E&E News posted an update today, which includes the following information:
The hack itself occurred two months ago, on March 5, when a “denial-of-service” attack disabled Cisco Adaptive Security Appliance devices ringing power grid control systems in Utah, Wyoming and California, according to multiple sources and a vague summary of a Department of Energy filing.
There were no blackouts, no harm to power generation and evidently very little effect on the Western transmission grid, according to multiple sources and officials. The most direct impact was likely a temporary loss of visibility to certain parts of the utility’s supervisory control and data acquisition (SCADA) system, though all major transmission operators in the regions affected denied having been hit by the denial-of-service attack. (source)
There was a disruption, but it did not lead to any blackouts or really, as far as we know, any halt in the flow of electricity there. What likely happened here was what’s called a loss of visibility. There was a denial-of-service attack against some part of the utilities network infrastructure, and that basically led operators to not be able to see what was going on in the grid. So it’s sort of like driving with blinders on. As long as nothing crazy happens, you should be fine, but it certainly constitutes a disruption and a reportable event here to the Department of Energy.
It does pose a hazard, and that’s why the Department of Energy actually requires utilities to report if they experience a cyberattack within one hour of the event itself. And so this is really the first time that we’ve seen a utility tell regulators at the DOE, at the Department of Energy, hey, hackers disrupted some part of our operations. And in this case, again, it appears that that was related to visibility as to what was happening on the grid there. (source)
The attack was a relatively basic DOS event, according to officials.
This raises concerns about what might happen if a more sophisticated hacker chose to launch a far more powerful attack.
Sobczak explains what a DOS (denial of service) incident is:
Denial-of-service, or DOS, cyberattacks overwhelm target networks with bogus traffic, making it difficult for victim computers to operate normally. Distributed-denial-of-service (DDOS) attacks harness the power of hacked “botnets” of computers to throw at hackers’ targets, while rarer telephony-denial-of-service (TDOS) events seek to block incoming and outgoing calls.
Denial-of-service attacks frequently target internet-facing devices or services — one record-setting DDOS interrupted access to popular sites like Twitter and Grubhub in fall 2016. In order for a DOS to have triggered an electric disturbance alert, it likely would have hit something more significant, but still externally facing, industry sources speculated: perhaps firewalls or routers on the boundary of a grid network. While a cyberattack on such equipment wouldn’t disrupt the flow of electricity, it could force operators to pause or redirect certain activities at affected facilities to allow for an investigation. (source)
Even more concerning is the fact that the DOS perpetrator(s) took advantage of a known software vulnerability that required a previously published patch to fix, according to a DOE official. “In other words, with a patch in hand, it wouldn’t have been difficult for power companies to identify and update any computer systems potentially at risk. DOE didn’t clarify which equipment — whether routers, work stations or even phones — were affected by the denial of service.” Sobczak explains.
Utility companies are required to notify DOE within one hour of any successful cyber attack on their systems. If they fail to file an OE-417 electric disturbance report, they can be fined up to $2,500 per day. However, DOE has never issued civil or criminal penalties related to the form. The form is supposed to include an overview of the incident, whether it be a hurricane-related outage or a physical attack on the facility. A second, more closely guarded portion of the form contains a detailed summary of actions taken to resolve the incident and “preliminary results from any investigations,” per DOE guidelines, E&E News reports.
There are several reasons authorities hide these events from the public.
In today’s update, Sobczak elaborates on the significance of the attack and the surrounding secrecy:
No U.S. electrical utility is known to have experienced any disruptive cyberattack in the past, a surprising fact given that utilities routinely find themselves in the crosshairs of the world’s most sophisticated hackers and can face millions of more run-of-the-mill hacking attempts every day. (Energywire, July 20, 2018).
Fears that a bona fide cyberattack would be blown out of proportion among the general public have fueled a culture of secrecy around anything filed under “cyber” in the electricity sector.
At the most recent GridEx security exercise in 2017, utilities practiced how word would get out about a blitz of simulated cyber and physical attacks. The exercise modeled how misinformation about the incident could spread quickly over social media.
“The grid runs everything. Forget how robust it is. How many other critical infrastructure sectors rely on electricity?” said John Hultquist, director of intelligence analysis at cybersecurity firm FireEye Inc.
“It’s the best way to cause cascading effects across society — the public knows that. They don’t know anything about how hard that would be.” (source)
Even though the March 5 attack didn’t cause customer outages or impact the reliability of the grid, and there’s no evidence it was part of a coordinated attack, the event is highly concerning.
To date, the best known successful grid attack occurred in 2015 and again in 2016 when hackers allegedly linked to the Russian government targeted portions of Ukraine’s energy grid with a DOS attack and cut off electricity for several hours to tens of thousands of people. That cyber attack was the first known to have caused a blackout anywhere in the world.
A significant grid attack in the US would cause widespread problems.
If that kind of outage happened here, it would cause millions of dollars in damage and serious disruptionof life as we know it. Lives could be lost as well – particularly if hospitals and other healthcare facilities were impacted, and if the outage was prolonged.
A 2015 report by the University of Cambridge Centre for Risk Studies estimated a major grid attack in the United States could cost up to $1 trillion in the most severe circumstances.
The March 5 DOS attack on U.S. Cisco equipment isn’t known to have involved any hostile takeover of operational networks. “It’s possible the hacker or hackers, in that case, didn’t even realize they were interfering with power grid equipment, sources said, perhaps having found the Cisco firewalls exposed online via specialized internet search tools,” Sobczak explains.
Some experts say the US power grid has already been hacked, as Daisy Luther reported in 2017:
A report by internet security experts, Symantec, says that a hacking group called Dragonfly 2.0 has gained access to 20 power company networks. The American power grid has been hacked, but for some reason, the culprits restrained themselves from taking down the power like they did in Ukraine recently.
The targets were in the United States, Turkey, and Switzerland. According to Symantec, the hackers did gain access to the interface they would need to control the power equipment, with which they could cause a widespread blackout. Eric Chien, a Symantec security analyst, told Wired:
“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation. We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.” (source)
While we were all focused on the natural disasters like wildfires and hurricanes looming over us, this report went all but unnoticed by the mainstream and alternative media alike.
Our grid has been hacked. Symantec’s report refuses to disclose which power plants were compromised, but there seems to be no doubt the hackers were able to gain access to operational control of them. And while this has been going on for a few years now, they’re getting bolder and nearly have the pieces in place to widespread sabotage our power grid. (source)
Sobczak’s May 6 report concludes with some troubling information (emphasis mine):
The Department of Energy and the Federal Energy Regulatory Commission are both restructuring rules for utilities to report grid cyberattacks to regulators. FERC commissioners, frustrated by years of radio silence from utilities despite a stream of warnings about growing cyberthreats, moved last year to broaden the definition of what constitutes a reportable incident.
The March 5 event is listed publicly because it cleared a certain bar of severity, said Sam Feinburg, executive director of Helena, which is working on a “Shield Project” to boost U.S. grid defenses.“There are undoubtedly many more such events that don’t breach that bar and therefore don’t become public knowledge.”
Feinburg said such events, even when carried out by unsophisticated hackers, don’t get enough attention.
“[Grid] infrastructure is getting more complicated, and because of that, it’s getting harder and harder to defend each part of it,” he said. “The ability to conduct these attacks is only being distributed across a wider and wider set of folks.”
“It does not take a sophisticated attacker to deal damage to critical electrical infrastructure, and that’s scary,” Feinburg said. (source)
Experts say more needs to be done to protect the grid.
“The U.S. electrical grid is highly complex with some 3,300 utility companies that work together to deliver power through 200,000 miles of high-voltage transmission lines. The nation also has 55,000 electrical substations and 5.5 million miles of distribution lines that power millions of homes and businesses,” areport last year states.
One, our adversaries are getting much more aggressive. They’re learning a lot about our industrial systems, not just from a computer technology standpoint but from an industrial engineering standpoint, thinking about how to disrupt or maybe even destroy equipment. That’s where you start reaching some particularly alarming scenarios.
The second thing is, a lot of that ability to return to manual operation, the rugged nature of our infrastructure—a lot of that’s changing. Because of business reasons, because of lack of people to man the jobs, we’re starting to see more and more computer-based systems. We’re starting to see more common operating platforms. And this facilitates a scale for adversaries that they couldn’t previously get. (source)
When asked to clarify what he meant by adversaries getting more aggressive, Lee explained:
The key events are things like the Ukraine attack in 2015–2016, [in which a cyberattack brought down portions of the Ukrainian power grid], as well as two different campaigns in 2013–2014, BlackEnergy2 and Havex, [two malware programs that were deployed against energy sector companies]. Basically, far-reaching espionage on industrial facilities one year; the next year getting into industrial environments; and then culmination in attacks in 2015–2016. That’s aggressive in itself.
For my own firm, what we’re seeing in the [overall] activity in the space is it’s growing. Over the last decade, I have seen adversary activity increase in some measure, and then around 2013–2014 just start spiking. (source)
It is up to each of us to prepare for a grid-down event.
On May 2, President Trump signed an executive order aimed at filling the deficit of cybersecurity professionals in the federal workforce, including specialists with knowledge of cyber-physical systems like power grids and gas pipelines. “The Nation is experiencing a shortage of cybersecurity talent and capability, and innovative approaches are required to improve access to training that maximizes individuals’ cybersecurity knowledge, skills, and abilities,” the EO states. Last month, Trump signed an EMP awareness EO called Executive Order on Coordinating National Resilience to Electromagnetic Pulsesas a first step toward learning more about how an EMP would affect us and how to protect critical infrastructure.
However, how effective the government’s new efforts will be is yet to be seen.
Recently, preparedness author Michael Mabee warned that the federal government has no plan for a long-term power outage and that the lack of preparedness could lead to tragic consequences:
In the U.S. we are literally on life support, plugged into the electric grid. If somebody unplugs us, everything necessary to sustain life stops: food, water, fuel, transportation, medical care, communications, financial – everything.
The grid is vulnerable to numerous threats. The U.S. Senate said that in a long-term nation-wide blackout, millions of citizens could die. After a few weeks, we would die in droves from waterborne diseases, starvation, and societal collapse. What if the grid went down for longer than a few weeks? (source)
Here are some resources that can help you prepare for the big one.
Mabee has assembled a comprehensive website with information on the threats and actions we can take.
What do you think?
Do you think more of these events occur but remain under the radar?
Are you prepared for a long-term grid-down event? If so, what have you done to prepare?
Please share your thoughts in the comments.