Could Russian hackers turn off the lights?
- By Mark Rockwell
The Department of Homeland Security said victims of a long-running Russia-backed hacking campaign against U.S. critical infrastructure providers number in the hundreds, but there are no immediate concerns about electrical blackouts resulting from the hacks.
Jonathan Homer, chief of industrial control system analysis at DHS, said during an industry briefing that Russian hackers had claimed hundreds of victims in a sustained campaign last summer to infiltrate the industrial control systems of U.S. critical infrastructure providers, according to a recent Wall Street Journal report.
Homer said the hackers mined confidential information from ICS support vendors with
the possible goal of gaining access to infrastructure equipment, and the incursions could have resulted in equipment being manipulated into disrupting electrical power flows.
"They got to the point where they could have thrown switches," Homer said, according to the article.
In response to the article, a DHS official clarified that the hacks could not have caused power outages.
"While hundreds of energy and non-energy companies were targeted," said DHS spokesperson Lesley Fulop in a statement to FCW, "the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline."
The information was presented during a DHS National Cybersecurity and Communications Integration Center webinar on July 24. The webinar is the first of a series of four announced in mid-July by NCCIC.
NCCIC said it is holding the online panels to provide information on cybersecurity incidents, mitigation techniques and resources to help protect critical assets.
"Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat. We will continue our strong public-private partnership and remain vigilant in defending critical infrastructure," Fulop said.
According to the report, DHS officials said in the briefing the hackers worked for the Russian-backed "Dragonfly" or "Energetic Bear" groups that the agency had singled out years ago in a warning of the targeted cyberattack campaign.
In 2014, the agency sounded the alarm on an "ICS-focused malware campaign" that wielded a multi-pronged assault on critical infrastructure providers. In that warning, DHS' Industrial Control Systems Cyber Emergency Response Team said the campaign infected industrial control systems sold by three vendors.
This past March, the Trump administration imposed sanctions against Russian intelligence agencies and individuals and named Russia as the sponsor of Dragonfly.
One ICS cybersecurity expert was critical of the characterization of the probes as threatening electric grid blackouts.
"The DHS has done a great job amplifying what was previously identified by the private sector and adding their own information. This relates to activity already previously communicated to the electric community but highlighting ongoing risk," said Robert Lee, CEO and co-founder of ICS cybersecurity company Dragos, Inc. in an email statement to FCW.
"However, the messaging in the WSJ article around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place," said Lee, who has testified before Congress on ICS cybersecurity.
Lee called the latest reports of nefarious activity "incredibly concerning," but he said "imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks."
"It's unfortunately the type that could lead to attacks later and is alarming, but it represents the beginning of the adversary effort not the end," he said.
Lee noted in a Twitter thread that getting access to the system and hijacking infrastructure processes through that access is not easy.
The two require two different knowledge and skill sets, he said, with one focused on getting in and the other focused on the intricacies of the infrastructure's processes.