Hard lessons for Energy Dept., power sector after Ukraine hack

At a Passcode event Thursday, Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall said the unprecedented cyberattack in Ukraine provides valuable lessons for the US power industry. 

Four months after malicious hackers infiltrated a Ukraine utility and cut power to some 230,000 people, the US government says it's continuing to learn valuable lessons from the unprecedented cyberattack.

"What happened in Ukraine is an opportunity for us to learn about the kinds of threats that we may face, and to innovate in the face of those threats," said Elizabeth Sherwood-Randall, deputy secretary of the Department of Energy, at a Passcode event Thursday to examine the growing cyberthreat to the electric grid. "Because of the evolving threat environment, we know we need to invest in a safer grid."

The December attack in Ukraine's Ivano-Frankivsk region was certainly a wake-up call for the US power sector. Security experts have long warned that hackers could one day compromise control systems inside utilities and cause power outages. Those concerns were realized in the Ukraine incident, the first confirmed cyberattack to cause a power outage at a utility, and have since led to officials, experts, and lawmakers to call on the industry to do more to safeguard US utilities.

At Passcode's "Guarding the Grid" event (watch the full event here), Tom Fanning, chief executive officer of the utility giant Southern Company, Rep. Will Hurd (R) of Texas, and Robert M. Lee, chief executive officer of the cybersecurity firm Dragos Security, joined Sherwood-Randall to discuss what the US energy sector is doing as a result of the Ukraine attack, and whether it's enough to counter the emerging threats. 

Here are some key takeaways:

1. The US has long been working to combat BlackEnergy malware

US officials and utility executives have known about the threat from BlackEnergy malware, which Mr. Fanning called "one of the major enablers behind the Ukraine attack," for at least two years. In fact, in 2014, Homeland Security reported that it had uncovered a "sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments" that relied on BlackEnergy. 

"BlackEnergy has been around for a long time," said Fanning. "BlackEnergy was not designed to attack energy. It was originally focused on things like the finance industry," he said. But, he said, "it has a lot of functionality" – comparing it to something akin to a digital "Swiss Army Knife" in the hackers' toolbox. In the case of Ukraine, he said, it probably "allowed people to get in."

But while the Ukraine attack, and the depth of the hackers' penetration into the systems there is unprecedented, Fanning noted that it affected power distribution and not transmission. "An attack on the distribution level would not have the same widespread impact as a successful attack on transmission," he said. "It is by its nature going to be more local and, by it's nature, it is more controllable."

2. Information sharing is critical  – but is it happening fast enough? 

In the weeks after the Ukraine grid hack, as many experts and officials were just beginning to realize the scope of the attack, government agencies such as DHS and DOE remained fairly quiet. The attack occurred on Dec. 23, but it wasn't until Feb. 25 that DHS issued its report publicly confirming the attack and providing more details. 

At Thursday's event, Sherwood-Randall said, "We provided the facts as we understood them. That’s our responsibility, to put out information about threats as we know them."

But security researchers such as Mr. Lee, who traveled to Ukraine after the incident to help investigate the attack, said the government should have moved faster when it came to getting out the necessary information to the public. 

"We've been talking about cyberattacks against infrastructure for a long time," he said. "It's not a new concept." Yet, he said, "I did not like to see that two month gap between announcement of it occurring and a DHS response."

What's more, said Lee, the event was of such a significant scale that " we should have a response," he said. "It’s hard to have a national discussion around threat information sharing ... and then not share things."

But Fanning said that, regardless of the public report, the energy sector had much of the information it needed quickly after the Ukraine attack was first reported. "When Ukraine happened ... we let everyone know what was going on," he said. "We weren't going to be public until we knew everything," he said. "We weren't waiting two months before we took action."

3. There's a narrative problem when talking about grid security

On one hand, many industry executives and government agencies say the US grid is safe, but at the same time US intelligence officials such as Adm. Michael Rogers, head of the National Security Agency, have warned of forthcoming attacks on US utilities.

"There's a national message mix up that's causing confusion for energy companies," said Lee. 

One of the problems may be a lack of understanding when it comes to defining when cyberattacks amount to malicious actions and acts of war, said Representative Hurd of Texas. "What is a digital act of war and what is our countermeasure?" he asked.

"If North Korea launched a missile into San Francisco, we all know how we’d respond.... But is stealing 23 million records from the Office of Personnel Management an act of war?"

Figuring out those issues and determining how the US should respond, he said, is where the conversations need to be happening. 

4. Humans are the biggest cyberthreats – and keys to solving the problem

Like many industries, the energy sector is dealing with a growing rate of cyberattacks and software viruses, but Lee stressed that it's not the malware that's the real danger. It's the human on the other side of the keyboard, he said.

“Software is not the problem. It’s the people," said Lee, but more regulations and security software products aren't the answer to keeping malicious hackers out of utility control systems.

"The only thing that's consistently going to be a win for us is making smart people," he said. "We have to get trained and empowered defenders to counter human threats."

5. So what about these squirrels?

Security researcher and Passcode columnist Space Rogue has pointed out that even with all the talk of cyberattacks on the grid, animals such as squirrels have caused far more damage to the power supply than any hacker. 

As for Fanning, he laughed off the notion of the squirrel threat: "It's no big deal."

This squirrel disagrees: