On Friday, just as President Trump was sitting down to talk with Russian President Vladimir Putin about his country’s hacking of U.S. elections systems, news broke that the FBI and Department of Homeland Security identified a Russian attempt to penetrate the computer networks of more than a dozen U.S. power plants.
The only good news so far, according to reports from The Washington Post, The New York Times and Bloomberg, among others, is that it appears the hackers haven’t breached the IT-OT wall.
“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the DHS and FBI said in a joint statement Friday. The Wolf Creek Nuclear Operating Station, one of the plants identified as having its networks hacked, likewise reported that its safety and control systems are not connected to business networks or to the broader internet.
Even so, the agencies said they were looking into multiple motivations for the attack, ranging from cyberespionage to efforts to achieve entry into the plants’ operational networks. The power plants involved were first warned of the risk in May, and are sharing updates via a secure portal through the The North American Electric Reliability Corp., which confirmed there had been “no bulk power system impact in North America” due to the breaches.
Still, the news represents another drumbeat in what cybersecurity experts warn may be a larger and deeper threat to U.S. energy infrastructure. As we reported back in January, after a similar report of Russian intrusion that turned out to be a red herring, government agencies and the "white hat" hackers on the U.S. side have been reporting Russian-linked intrusions into power plants, grid control centers, and other industrial sites for years now.
While none of these efforts were shown to have reached beyond the internet-connected business systems, their presence alone is cause for concern. One of the goals of hacking into a company’s business network -- or that of an equipment or software vendor -- is to obtain passwords, user credentials and other key data, and then use that information to infiltrate power plant industrial control systems and automated grid devices such as breakers, serial-to-ethernet data converters and uninterruptible power systems.
Sustained access to IT networks thus “provides the opportunity for attackers to initiate follow-on actions later if they align with national security or military goals and/or criminal objectives,” according to a report from the SANS Institute, a cybersecurity training organization. In fact, that’s how Russian hackers achieved the shutdowns of Ukrainian grid substations in December 2015 -- the first-ever confirmed cyberattack against grid infrastructure -- and a similar attack late last year.
The joint FBI-DHS report said the hackers showed signs of mapping out computer networks for future attacks. But the agencies said they haven’t yet analyzed the “payload” of their code to learn what its purpose might have been.
After his meeting with Putin, President Trump’s response to the Russian hacking threat was to tweet that the two discussed “forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded” -- a suggestion he took back in another tweet the next evening.
U.S. Sen. Maria Cantwell (D-Wash.), the ranking Democrat on the Senate Energy and Natural Resource Committee, said in a Monday statement that “[t]he disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure’s cyber defenses.”
She called on Trump to perform a cybervulnerability assessment requested by 19 Senators earlier this year, and abandon the Department of Energy proposal to cut the budget of its Office of Electricity Delivery and Energy Reliability, which manages grid-related cybersecurity, by more than 40 percent.