Subscribe
Modern field guide to security and privacy

Hard lessons for Energy Dept., power sector after Ukraine hack (+video)

At a Passcode event Thursday, Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall said the unprecedented cyberattack in Ukraine provides valuable lessons for the US power industry. 

  • close
    Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall spoke on May 12 at a Passcode event on protecting the electric grid from cyberattacks.
    Michael Bonfigli/The Christian Science Monitor
    View Caption
  • About video ads
    View Caption
of

Four months after malicious hackers infiltrated a Ukraine utility and cut power to some 230,000 people, the US government says it's continuing to learn valuable lessons from the unprecedented cyberattack.

"What happened in Ukraine is an opportunity for us to learn about the kinds of threats that we may face, and to innovate in the face of those threats," said Elizabeth Sherwood-Randall, deputy secretary of the Department of Energy, at a Passcode event Thursday to examine the growing cyberthreat to the electric grid. "Because of the evolving threat environment, we know we need to invest in a safer grid."

close
Department of Energy Deputy Secretary Elizabeth Sherwood-Randall spoke Passcode's "Guarding the Grid" event on May 12.

The December attack in Ukraine's Ivano-Frankivsk region was certainly a wake-up call for the US power sector. Security experts have long warned that hackers could one day compromise control systems inside utilities and cause power outages. Those concerns were realized in the Ukraine incident, the first confirmed cyberattack to cause a power outage at a utility, and have since led to officials, experts, and lawmakers to call on the industry to do more to safeguard US utilities.

At Passcode's "Guarding the Grid" event (watch the full event here), Tom Fanning, chief executive officer of the utility giant Southern Company, Rep. Will Hurd (R) of Texas, and Robert M. Lee, chief executive officer of the cybersecurity firm Dragos Security, joined Sherwood-Randall to discuss what the US energy sector is doing as a result of the Ukraine attack, and whether it's enough to counter the emerging threats. 

Here are some key takeaways:

1. The US has long been working to combat BlackEnergy malware

US officials and utility executives have known about the threat from BlackEnergy malware, which Mr. Fanning called "one of the major enablers behind the Ukraine attack," for at least two years. In fact, in 2014, Homeland Security reported that it had uncovered a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments" that relied on BlackEnergy. 

"BlackEnergy has been around for a long time," said Fanning. "BlackEnergy was not designed to attack energy. It was originally focused on things like the finance industry," he said. But, he said, "it has a lot of functionality" – comparing it to something akin to a digital "Swiss Army Knife" in the hackers' toolbox. In the case of Ukraine, he said, it probably "allowed people to get in."

But while the Ukraine attack, and the depth of the hackers' penetration into the systems there is unprecedented, Fanning noted that it affected power distribution and not transmission. "An attack on the distribution level would not have the same widespread impact as a successful attack on transmission," he said. "It is by its nature going to be more local and, by it's nature, it is more controllable."

close
Tom Fanning, chief executive officer of the utility giant Southern Company.

2. Information sharing is critical  – but is it happening fast enough? 

In the weeks after the Ukraine grid hack, as many experts and officials were just beginning to realize the scope of the attack, government agencies such as DHS and DOE remained fairly quiet. The attack occurred on Dec. 23, but it wasn't until Feb. 25 that DHS issued its report publicly confirming the attack and providing more details. 

At Thursday's event, Sherwood-Randall said, "We provided the facts as we understood them. That’s our responsibility, to put out information about threats as we know them."

But security researchers such as Mr. Lee, who traveled to Ukraine after the incident to help investigate the attack, said the government should have moved faster when it came to getting out the necessary information to the public. 

"We've been talking about cyberattacks against infrastructure for a long time," he said. "It's not a new concept." Yet, he said, "I did not like to see that two month gap between announcement of it occurring and a DHS response."

What's more, said Lee, the event was of such a significant scale that " we should have a response," he said. "It’s hard to have a national discussion around threat information sharing ... and then not share things."

But Fanning said that, regardless of the public report, the energy sector had much of the information it needed quickly after the Ukraine attack was first reported. "When Ukraine happened ... we let everyone know what was going on," he said. "We weren't going to be public until we knew everything," he said. "We weren't waiting two months before we took action."

3. There's a narrative problem when talking about grid security

On one hand, many industry executives and government agencies say the US grid is safe, but at the same time US intelligence officials such as Adm. Michael Rogers, head of the National Security Agency, have warned of forthcoming attacks on US utilities.

"There's a national message mix up that's causing confusion for energy companies," said Lee. 

One of the problems may be a lack of understanding when it comes to defining when cyberattacks amount to malicious actions and acts of war, said Representative Hurd of Texas. "What is a digital act of war and what is our countermeasure?" he asked.

"If North Korea launched a missile into San Francisco, we all know how we’d respond.... But is stealing 23 million records from the Office of Personnel Management an act of war?"

Figuring out those issues and determining how the US should respond, he said, is where the conversations need to be happening. 

close
Rep. Will Hurd (R) of Texas spoke at Passcode's "Guarding the Grid" event on May 12.

4. Humans are the biggest cyberthreats – and keys to solving the problem

Like many industries, the energy sector is dealing with a growing rate of cyberattacks and software viruses, but Lee stressed that it's not the malware that's the real danger. It's the human on the other side of the keyboard, he said.

“Software is not the problem. It’s the people," said Lee, but more regulations and security software products aren't the answer to keeping malicious hackers out of utility control systems.

"The only thing that's consistently going to be a win for us is making smart people," he said. "We have to get trained and empowered defenders to counter human threats."

close
Robert Lee, chief executive officer at Dragos Security, spoke at Passcode's "Guarding the Grid" event on May 12.
SHOW MORE

5. So what about these squirrels?

Security researcher and Passcode columnist Space Rogue has pointed out that even with all the talk of cyberattacks on the grid, animals such as squirrels have caused far more damage to the power supply than any hacker. 

As for Fanning, he laughed off the notion of the squirrel threat: "It's no big deal."

This squirrel disagrees:

About these ads
Sponsored Content by LockerDome
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK