This year, we’ve been inundated with hackers in every aspect of our lives leaving many to wonder just how vulnerable our energy grid is here in the United States.
Hackers likely linked to the North Korean government targeted a U.S. electricity company late last month, according to a security firm that says it detected and stopped the attacks.
John Hultquist, director of intelligence analysis for FireEye, said Wednesday that phishing emails were sent on Sept. 22 to executives at the energy company, which he declined to identify. The attacks didn’t threaten critical infrastructure.
It’s the latest evidence of cyberespionage from various government-backed hackers targeting U.S. energy utilities, though experts say such attacks are often more about creating a psychological effect.
COULD IT HAPPEN HERE?
Concerns about hackers causing blackouts have grown since cyberattacks in Ukraine temporarily crippled its power grid in 2015 and 2016.
But a “zombie apocalypse” scenario is unlikely in the United States, said Joe Slowik of Fulton, Maryland-based security firm Dragos, which has researched the attacks on the Ukrainian grid.
“As a realistic scenario, it’s very faint,” he said. But, Slowik said, “somebody who is motivated and lucky enough” could cause significant harm.
It’s easier to hack into emails and a front-end computer system than tap into industrial controls. That’s why, in theory, most energy companies isolate their regular workplace networks from high-security control rooms.
The nuclear power industry, for good reason, is considered to be the best at such security practices. But some smaller and locally focused electricity providers fall short in creating an impenetrable wall around industrial controls, often referred to as an air gap.
“There’s always some sort of a bridge, whether it’s a human being in their sneakers, or a wireless connection,” said Michael Daly, the chief technology officer for cybersecurity and missions at defense contractor Raytheon, based in Waltham, Massachusetts. “There’s no such thing as a totally air-gapped system.”
One thing protecting the U.S. electricity grid from a large-scale outage is that it’s segmented by region. Another thing is military might: Nation-state actors know that crossing the line from routine, long-term surveillance to a true attack on the grid could merit a powerful response.
Neither of those means those protecting critical infrastructure are doing enough.
“There are many reasons to target smart grids,” said Daly. “Nation-states can learn a lot by watching power usage.”
Or they could lay in wait, he said, with the aim of one day pulling the trigger and targeting a grid’s customers by slowing down power or cutting it off completely.
The latest attempted intrusion spotted by Milpitas, California-based FireEye was notable for its boldness, said Hultquist: The malefactors didn’t seem worried about being discovered.
That’s a sign that even if foreign governments aren’t yet interested, or capable, of turning out the lights in New York or Los Angeles, they might at least want to signal that they’re thinking about it. Or they might be laying contingency plans to cause disruption in case of conflict.
While it seems that every country is taking aim to send our country into a complete blackout, it’s still not so easy to get inside the grid as we’ll show you how hard the main three steps are to get inside.
Step One: Network Breach
When government agencies or the press warn that hackers have compromised a power utility, in the vast majority of cases those intruders haven’t penetrated the systems that control the flow of actual power, like circuit breakers, generators, and transformers. They’re instead hacking into far more prosaic targets: corporate email accounts, browsers, and web servers.
Those penetrations, which typically start with spearphishing emails, or “watering hole” attacks that infect target users by hijacking a website they commonly visit, don’t necessarily differ from traditional criminal or espionage-focused hacking. Most importantly, they don’t generate the means of causing any physical damage or disruption. In some cases, the hackers may be performing reconnaissance for future attacks, but nonetheless don’t get anywhere near the actual control systems that can tamper with electricity generation or transmission.
Earlier this week, for instance, a leaked report from security firm FireEye raised alarms when it revealed that North Korean hackers had targeted US energy facilities. A followup report from security news site Cyberscoop asserted that at least one of those attempts successfully penetrated a US utility. But a subsequent FireEye blog post indicated that its analysts had only found evidence that the hackers had sent a series of spearphishing emails to its intended victims—a fairly routine hacking operation that doesn’t appear to have come close to any sensitive control systems.
“We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power,” FireEye’s statement reads. “Furthermore, we have not uncovered evidence that North Korean-linked actors have access to any such capability at this time.”
North Korea no doubt has ambitions to wield power over US grid systems, and the fact that they’ve taken the first step is significant. But for now those attacks—and any others that stop at the level of IT compromise—should be seen at worst as foreboding, rather than an imminent threat of hacker blackouts.
Step Two: Operational Access
Hackers poking around an energy firm’s IT system should cause some concern. Hackers poking at operational technology systems, or what some security experts call OT, is a far more serious situation. When hackers penetrate OT, or gain so-called operational access, they’ve moved from the computer systems that exist in practically every modern corporation to the far more specialized and customized control systems for power equipment, a major step towards manipulating physical infrastructure.
In one recent hacking campaign, for instance, Symantec revealed that a group of hackers it named DragonFly 2.0—possibly the same Russian group reported earlier in the summer to have broken into a US nuclear facility—had gained operational access to a “handful” of US energy firms. The intruders had gone so far as to screenshot the so-called human-machine interfaces for power systems, likely so that they could study them, and prepare to start flipping actual switches to launch a full-on grid attack.
“Evidence of a phish attempt and probably infection is one step in a ladder,” says Mike Assante, a power-grid security expert and instructor at the SANS Institute, a security-focused training organization. “Scrapes from an HMI is a few rungs up the access scale,” Assante says, contrasting the recent North Korean phishing with the Dragonfly 2.0 attack.
In theory, OT systems are “air-gapped” from IT systems, with no network connections between the two. But with the exception of nuclear power plants, which strictly regulate their operational systems’ disconnection from outside networks, that air-gap is often more permeable than it ought to be, says Galina Antova, a co-founder of the industrial control system security firm Claroty. She says that Claroty has never analyzed an industrial control facility’s setup and not found a “trivial” way in to its OT systems. “Just by mapping the network, we can see the pathway from IT to OT,” she says. “There are ways of getting in.”
But Dragos’ Lee counters that given the small proportion of hackers that actually do manage to cross that gap, it’s hardly a trivial distinction. That’s in part because while IT systems are somewhat standardized, OT systems are more customized and esoteric, making them far less familiar. “They can basically practice and train so that they can completely compromise IT networks,” Lee says. “If they want to get to operations networks, it’s going to be weird equipment and weird setups, and they’re going to have to learn that.”
Step Three: Coordinated Attack
Even when intruders have “hands-on-the-switches” access to grid control systems, Lee says, using that access effectively is far harder than it might seem. In fact, he argues that all actions ahead of flipping that switch are just a preparatory stage that represents only about 20 percent of the hackers’ work.
Beyond the obscurity of whatever equipment setup a utility may have, Lee points out that its physical processes can require real expertise to manipulate, as well as months more effort and resources—not just opening a few circuit breakers to cause a blackout. Even after hackers gain access to those controls, “I can confidently say they’re still not at a stage to turn off the power,” Lee says. “They could turn off some [circuit] breakers, but they’d have no understanding of the effect. They might be stopped by a safety system. They don’t know.”
In the Ukrainian blackout of late 2015, the first-ever confirmed case of hackers causing a power outage, for instance, the intruders manually opened dozens of circuit breakers at three different facilities across the country, using remote access to electric distribution stations’ control systems—in many cases by literally hijacking the mouse controls of the stations’ operators. Analysts who responded to the attack believe it likely required months of planning and a team of dozens working in coordination. Even so, the blackout it caused lasted just six hours, for roughly a quarter-million Ukrainians.
Hackers essentially have to choose between the scope and duration of a blackout, Lee says. “If they wanted to do the full Eastern Interconnect, that’s exponentially more resources,” he says, referring to the grid that covers nearly the full eastern half of the US. “And if they want to take it down for a full week, that’s an exponential of an exponential.”
Some grid hackers do appear to be putting in the work to plan a wider, more disruptive operation. The second Ukrainian blackout attack used a piece of malware known as Crash Override, or Industroyer, capable of automating the process of sending sabotage commands to grid equipment, and built to be adapted to different countries’ setups so that it could be deployed broadly across multiple targets.
That specimen of ultra-advanced grid hacking malware is troubling. But it’s also extraordinarily rare. And there’s a significant gap between a piece of Black Swan malware and the dozens number of grid-penetration incidents that often amount to little more than spearphishing. No power grid breach is a good thing. But better to recognize the difference between a dress rehearsal and the main event—especially when there are more of those events on the horizon.