Russian hackers obtained access to the U.S. electric grid last year by penetrating the networks of key vendors that service power companies, homeland security officials said in a Monday briefing. 

Officials said that hackers working for Russia could have caused blackouts in a long-running campaign to get inside U.S. electric utility control rooms, the Wall Street Journal was first to report.

Jonathan Homer, chief of industrial-control-system analysis for the Department of Homeland Security (DHS), said that attackers “got to the point where they could have thrown switches” and disrupted the grid.

The attacks surfaced in the spring of 2016 and continued throughout 2017. Officials believe the campaign is likely still ongoing.

Russian hackers broke into theoretically secure “air-gapped” utility networks by first accessing the networks of trusted utility vendors, which have special access to update software, run diagnostics and perform other services. DHS claims there were "hundreds of victims."

Some vendors still may not be aware that their systems have been compromised, because the credentials of actual employees were used to infiltrate utility networks. Hackers used conventional tools, such as email phishing, to obtain employee passwords and access supplier networks.

Armed with that information, breaching utility networks — and accessing confidential information such as the configuration of the utility network, the types of equipment being used and how facilities operate — is said to have been relatively easy.

DHS said the Russian hackers worked for a state-sponsored group previously identified as Dragonfly or Energetic Bear.

Cybersecurity experts say current defenses are not enough

Sean Newman, director of product management at Corero Network Security, who works closely with U.S. and European utilities and other critical infrastructure providers, said the latest news should alert organizations to the fact that they may still be at risk of attack, however strong their own security practices are.

“This is a stark reminder that organizations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain,” he said, in an emailed statement.  

Ray DeMeo, co-founder and COO of Virsec, which has partnered with Raytheon to deliver cybersecurity products for critical infrastructure, including the grid, said that vendors need to do more to bridge a wide gap between information technology and operational technology (i.e., SCADA). He added that creating an “air gap,” a security measure employed to physically isolate one or more computers from unsecured networks, such as the public internet, provides insufficient protection for utilities. 

“We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected,” said DeMeo, in an email. “We also need to change our defense strategy, away from conventional perimeter defense. These latest attacks have easily bypassed the perimeter — we need to focus on detecting and stopping attacks in progress."

When asked about the severity of the threat utilities face from foreign hackers, he said that outcomes may vary depending on the motivation, but that recent attacks around the world have been significant. They include ransoming critical data, service disruptions, or serious damage to control systems and physical equipment. 

Her referenced the multiple attacks on Ukraine’s power grid, a recent cyberattack on a petrochemical company with a plant in Saudi Arabia, and an attack on a water treatment plant in the Middle East. 

"The threat of disruption to our critical infrastructure is very real,” DeMeo said.

Others took issue with the WSJ article and framing of the latest DHS report.   

Robert Lee, CEO of cybersecurity firm Dragos, told UtilityDive that the messaging around “throwing switches” and causing outages is misleading. "What was observed is incredibly concerning, but images of imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks,” he said.

Government action

U.S. electric utilities are very aware of the cyberthreats they face. Utility vendors are aware, too.  And this isn’t anything new for the U.S. government. But whether or not they’re prepared to handle an attack is an open question. 

The Trump administration accused Russia in March of waging an ongoing operation to spy on the U.S. power grid and other critical infrastructure. In response, the Department of Energy created a new Office of Cybersecurity, Energy Security and Emergency Response. 

Department of Energy Assistant Secretary Bruce Walker told the National Association of Regulatory Utility Commissioners earlier this month that states play a crucial role in cybersecurity, and urged regulators to be responsive to requests for infrastructure investments from utilities in rate cases. 

In May, the DOE released its multi-year plan for energy cybersecurity (PDF) that found the increasing and evolving threats utilities face require much better management. Today, electric utilities and grid operators have been playing whack-a-mole with hackers, scrambling to seal breaches long after they’ve occurred. 

The Federal Energy Regulatory Commission and the North American Electric Reliability Corporation have responded by expanding reporting requirements for cyber incidents in a new rule

DeMeo said more needs to be done.

"The government is raising awareness, but responses need to be more aggressive and coordinated,” he said. There needs to be a shift “from chasing endless elusive external threats, to directly protecting systems from attack in real time."