Are Russian hackers going to turn off the lights?
Although Russian-backed groups have hacked hundreds of infrastructure providers, possible power grid outages stemming from those hacks aren't expected in the near future.
The victims of an ongoing, long-running Russian-backed hacking campaign against infrastructure providers, including electric companies, number in the "hundreds," but immediate electrical blackouts resulting from the hacks to the grid are not in the cards, at least not in the short term, according to DHS officials.
The Wall Street Journal reported July 23 that Jonathan Homer, chief of industrial control system analysis at the Department of Homeland Security said in an industry briefing that Russian hackers had claimed "hundreds of victims" in a sustained campaign last summer aimed at infiltrating industrial control systems of U.S. critical infrastructure providers.
The incursions, Homer claimed, could have resulted in ICS equipment being manipulated into disrupting electrical power flows. The hackers mined confidential information from ICS support vendors to possibly leverage it to gain access to infrastructure equipment, he said.
"They got to the point where they could have thrown switches," Homer said, according to the article.
Following the report, a DHS official clarified to FCW that power outages weren't in the cards with the incursions.
"While hundreds of energy and non-energy companies were targeted," said DHS spokesperson Lesley Fulop in a statement to FCW, "the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline."
The information was presented during a DHS National Cybersecurity and Communications Integration Center webinar on July 24. The webinar is the first of a series of four announced in mid-July by NCCIC.
NCCIC said it is holding the online panels to provide information on cybersecurity incidents, mitigation techniques and resources to help protect critical assets.
"Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat. We will continue our strong public-private partnership and remain vigilant in defending critical infrastructure," Fulop said.
According to the report, DHS officials said in the briefing the hackers worked for the Russian-backed "Dragonfly" or "Energetic Bear" groups that the agency had singled out years ago in a warning of the targeted cyberattack campaign.
In 2014, the agency sounded the alarm on an "ICS-focused malware campaign" that wielded a multi-pronged assault on critical infrastructure providers. In that warning, DHS' Industrial Control Systems Cyber Emergency Response Team said the campaign infected industrial control systems sold by three vendors.
This past March, the Trump administration imposed sanctions against Russian intelligence agencies and individuals and named Russia as the sponsor of Dragonfly.
One ICS cybersecurity expert was critical of the characterization of the probes as threatening electric grid blackouts.
"The DHS has done a great job amplifying what was previously identified by the private sector and adding their own information. This relates to activity already previously communicated to the electric community but highlighting ongoing risk," said Robert Lee, CEO and co-founder of ICS cybersecurity company Dragos, Inc. in an email statement to FCW.
"However, the messaging in the WSJ article around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place," said Lee, who has testified before Congress on ICS cybersecurity.
Lee called the latest reports of nefarious activity "incredibly concerning," but he said "imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks."
"It's unfortunately the type that could lead to attacks later and is alarming, but it represents the beginning of the adversary effort not the end," he said.
Lee noted in a Twitter thread that getting access to the system and hijacking infrastructure processes through that access is not easy.
The two require two different knowledge and skill sets, he said, with one focused on getting in and the other focused on the intricacies of the infrastructure's processes.