What companies and the government can learn from the Ukraine grid cyberattack
The attack on Ukraine’s power grid teaches valuable lessons that experts think companies and the next US administration should take to heart.
WASHINGTON — One major piece of fall out from the BlackEnergy cyberattack on Ukraine’s power grid?
US energy companies are thinking hard and long about their approach to upgrading their digital infrastructure, said Edward Goetz, chief security officer at Exelon, at an event in Washington hosted by Invincea, an endpoint protection cybersecurity firm.
One of the reasons the attack wasn’t as devastating as it could have been (the power was only out for six hours at most) was that the industry had a ready response to the problem: workers were able to manually reverse the hackers’ work by physically resetting power stations.
US companies looking to upgrade their infrastructure are now considering how to obtain the digital efficiency afforded by new technology alongside Ukraine’s strong reminder of the last-resort value of analog procedures, Mr. Goetz said.
That isn’t to say that the grid is on the verge of collapse — far from it.
“Most people don’t know how the power grid works, and there’s this feeling that it’s a big battery with an on-off switch,” said Marcus Sachs, chief security officer (CSO) of the North American Electric Reliability Corporation (NERC).
But there are many lessons the US could take from Ukraine’s experience, experts at the event agreed.
Mr. Sachs and others underscored the security of US critical infrastructure, citing the grid’s diverse technologies and players as making it harder to take down in one fell swoop, while pointing out that most of the threats to the grid come from unsophisticated sources like squirrels or phishing campaigns. Shoring up the grid against the most basic digital threats should be a first order of business across industry and government, Sachs said.
However power companies configure their systems, Sachs said, lack of communication between the US federal government and the private sector makes the entire business of defending the nation’s critical infrastructure more difficult.
Even after last year’s Cybersecurity Information Sharing Act (CISA) agreement, which paved the way for easier transit of information between government and the private sector, the government struggles to declassify information at a rapid enough rate for the intelligence given to businesses to be actionable.
Intelligence received “six or eight weeks [after the fact] is not timely. Six or eight minutes might be timely.” said Sachs. “Get rid of the things that make it classified and just give us better data. We don’t care how you [the government] got it, but the fact that you know it should be shared.”
On the private side, fears that proprietary information will be used to exploit vulnerabilities prevents companies from sharing more openly.
It comes down to trust, which can’t be legislated, Sachs said, and the private sector and the federal government have a lot of relationship building to do before they can share information as freely as CISA intends.
Defending against threats is half the equation — deterring them is the other, said Richard Clarke, a former national security official and current CEO of Good Harbor, who offered some advice to the next administration on how to be more proactive when defending critical infrastructure.
In order to ensure US infrastructure security, Mr. Clarke said, the next administration would do well to focus and consolidate its resources around those utilities that will be the focus of cyberattacks (such as the grid and the financial system) and continue to work on a better mechanism to train the next generation of cybersecurity professionals.
Continued multilateral action will be important, Clarke said, to take a harder line with state-sponsored hackers who have yet to feel real consequences for their actions.
That kind of action could have unintended consequences, though. Goetz wondered whether a cabal of former government-sponsored industrial spies from China will move to countries with looser Internet restrictions and become independent actors in the wake of the US signing a deal with China to stop the same.
Invincea is an endpoint security software company. More than 25,000 customers rely on Invincea to prevent and detect threats and enable their workforce to conduct business—in the office or on the road. Follow them on Twitter @Invincea.