Earlier this year, the U.S. government issued a report pointing the finger directly at the Russian government for attacks on the energy infrastructure. It’s the first time the United States has publicly blamed Russia’s government.
As reaffirmation, the United States released a joint report from the FBI and Department of Homeland Security (DHS) that described a Russian hacking campaign designed to infiltrate power plants, nuclear generators and water facilities. According to the report, hackers infiltrated computers and gathered private data, including passwords, logins and information about energy production. It indicated that this type of intrusion could pave the way for future attacks designed for more than economic espionage—e.g., wreaking physical harm on critical infrastructure operations.
In 2016, the Office of the Director of National Intelligence released the National Counterintelligence Strategy of the United States 2016 to address “the diverse threats and challenges which include not only foreign intelligence services and their surrogates but also terrorists, cyber intruders, malicious insiders, transnational criminal organizations and international industrial competitors with known or suspected ties to these entities.”
The National Counterintelligence Strategy of the United States of America 2016 was developed in accordance with the Counterintelligence Enhancement Act of 2002. The strategy sets forth how the U.S. government will identify, detect, exploit, disrupt and neutralize foreign intelligence entity threats.
According to the National Counterintelligence and Security Center (NCSC), foreign intelligence entities, which may include foreign governments, corporations, and their proxies, are actively targeting information, assets and technologies vital to both U.S. national security and global competitiveness.
New day, escalating risk
The potential for cyberattack on the nation’s critical infrastructure elements is not an emergent phenomenon. However, the growing concern and knowledge of the role of foreign entities is new.
“The proliferation of interconnected devices, systems and networks, when combined with increased KSAs [knowledge, skills and abilities] of hackers—both on a global scale—have most definitely expanded the attack surface,” according to John Slattery, Fairfax County, Va., an Emeritus Faculty with the Security Executive Council (SEC), Atlanta. Slattery, formerly an FBI Deputy Assistant Director for Counterintelligence, consults with many sectors in private industry on intelligence, threat mitigation and national security-related issues.
“Supply chain dependencies, which are difficult to control and not limited by domestic borders, add additional risk factors and complications when it comes to securing the providers of our electricity, petroleum products, telecommunications infrastructure and water,” Slattery said.
Slattery said technology development has expanded the landscape for potential vulnerabilities.
“Within the past two decades, analog ICS [industrial control systems], ACS [access control systems] and SCADA [supervisory control and data acquisition] control systems architecture have been all but replaced with digital components," he said. "With this improved speed and agility also comes vulnerabilities because security features have been largely an afterthought. Because the security discipline is still evolving in terms of the ‘cross-pollination’ information [technology] expertise with physical security expertise, professionals with a firm grasp on the digital underpinnings of ICS, ACS and SCADA systems are in demand. So, despite increased awareness of the gaps and vulnerabilities, security entities in many critical infrastructure organizations, energy sector included, are still struggling to keep pace with the evolving threat landscape.”
Several high-profile energy sector penetrations (actual and attempted hacks) over the past few years have yielded varied findings and consequences for the victim entities.
- In December of 2016, a Vermont electric utility was reported to have been penetrated by Russian hackers, and a portion of the U.S. electrical grid was compromised as a result. According to media reports, the utility, acting on a U.S. government alert put out on nefarious Russian-directed network activities, conducted a scan of its business network and identified an email that contained a compromised IP address from the government’s list. The tainted computer in actuality was not connected to the grid control systems; nonetheless, it was pulled off the utilities’ network and isolated. The utility reported the incident immediately to the government, which initially misinterpreted the report as a compromise of the grid. That error was compounded when the incident, not fully vetted, appeared shortly later in a nationally recognized newspaper. The utility spent several uncomfortable days setting the record straight but, in the end, remained steadfast in its commitment to share incident information whenever necessary to preserve the integrity of the organization and the power grid itself.
- In 2015, a group of Iranian "hacktivists" known as SOBH Cyber Jihad claimed responsibility for the 2013 hacking into the access control system of a New York dam. There was no clear evidence the hackers were able to actually activate any of the physical controls for the Bowman Avenue Dam, which is located in Rye Brook, N.Y., on the outskirts of Manhattan. Likewise, direct attribution to Tehran for the attack has never been publicly confirmed or refuted.
- In 2015, it came to light that an organized and globally directed hacking campaign known under the monikers Energetic Bear (EB), Dragonfly or Crouching Yeti had set their sights directly on the energy sector, including dozens of companies in the United States. According to cybersecurity analyses by Symantec, EB attacks against control systems, "could have caused damage or disruption to energy supplies in affected countries" and that targets included "energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial control system equipment manufacturers."
“I think it’s fair to say that all countries with mature, dedicated and/or determined intelligence collection capabilities also maintain some sort of offensive cyber capacity," Slattery said. "The 2018 unclassified Worldwide Threat Assessment, published by the Director of National Intelligence, lists four state actors as the key cyberthreats; Russia and China are at the top of that list (North Korea and Iran are the other two). Accordingly, we should also assume that certain elements of that infrastructure—fuel supplies, fresh water sources and the electric power grid, for example—would be prime targets for compromise and/or neutralization in a conflict. Russia especially, with China, North Korea and Iran not far behind, are all likely to continue probing U.S. critical infrastructure networks for vulnerabilities and testing offensive cyber tools in the event they are needed in support of conflict or to further strategic objectives.”
Attributing the attacks to certain entities is important during mitigation and after-action activities, but it’s not the end all.
“What is more important, regardless if the person behind the keyboard is a trained intelligence operative or a street-level criminal, critical infrastructure organizations would be well-served by employing the most robust information assurance protections they can afford,” Slattery said.