26 December 2015

U.S. Power Grid Has Been ‘Attacked At Least 12 Times By Foreign Hackers — Stole Plans So Detailed, They Could Knock Out Electricity To Millions Of American Homes

December 22, 2015 ·
www.fortunascorner.com

The Associated Press (AP), reported December 21, 2015, that “foreign hackers have broken into networks running the U.S. power grid; and, have stolen passwords and engineering drawings for a number of U.S. power plants.” The publication notes that [cyber security] “researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files, when he stumbled on [into] a larger nightmare. Cyber hackers had opened a pathway into the networks running the U.S. power grid. Digital clues [Persian writing] pointed to Iranian hackers.” Though it should be noted that a clever adversary could also disguise their true origin by using denial and deception, and use a language or leave clues that lead investigators to blame the wrong culprit. That said, the AP notes, “Wallace found they [the Iranian hackers] had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title “Mission Critical.” The drawings were so detailed experts told the AP, that skilled hackers could have used them, along with other tools and malicious code, to knock out electricity to millions of [American] homes.” One of the power companies successfully hacked was Calpine, a power producer with 82 plants operating in 18 states and Canada.

According to the AP investigation, hackers got:

— User names and passwords that could be used to connect remotely to Calpine’s network, which were being maintained by a data security company. Even if some of the information was outdated, skilled hackers could have found a way to update the passwords, and slip past firewalls to get into the [critical] operations network.Eventually, [cyber] intruders could [remotely] shut down generating stations, foul communications networks; and, possibly cause a blackout near the plants’;

— Detailed engineering drawings of networks and power stations from New York to California — 71 in all — showing the precise location of devices that communicate with with gas turbines, boilers, and other crucial equipment attackers would need to hack specific plants;

— Additional diagrams showing how those local plants transmit information back to the company’s virtual cloud, knowledge attackers could use to mask their activity.


Unfortunately, as the AP found out, this kind of breach is not unique. In the past decade, foreign hackers have gained remote access to critical U.S.infrastructure at least a dozen times– and, those are the ones we know about. How many times has our critical infrastructure been breached or surveilled, without us catching them in the act? And, I suspect there are also classified penetrations that would also move this number even higher — maybe a lot higher. Moreover, there could be stealth stay-behinds and back-door traps that could allow these hackers to wait and use this information for a cyber strike at their time, and choosing. “If the geopolitical situation changes, and Iran wants to target these facilities, if they have this kind of information — it will make it [such an attack] a lot easier,’ said Robert M. Lee, a former USAF cyber warfare operations officer. “It will also help them to stay quiet, and stealthy inside.”


“In 2012, and 2013, in well-publicized [cyber] attacks, Russian hackers successfully sent and received encrypted commands to U.S. public utilities, and power generators: some private firms concluded this was an effort to position interlopers to act in the event of a political crisis,” the AP reported. “And, the Department of Homeland Security (DHS) announced about a year ago that a separate hacking campaign, believed by some private firms to have Russian origins, had injected software — with malware — that allowed the attackers to spy [clandestinely] on U.S. energy companies.”


“You want to be stealth,” said Lillian Albon, a cyber security expert at the RAND Corporation. “That’s the ultimate power; because when you need to do something — you are already in place.”


As the AP notes, “hundreds of contractors sell software and equipment to energy companies, and attackers have successfully used those outside companies as a way to get inside networks tied to the [critical infrastructure] grid.


“No one claims that it would be easy to take down the U.S. power grid,” the AP notes [I do not agree; but, my belief is that a clever/sophisticated adversary has a lot more critical operational data than we believe; and, they won’t just use cyber to bring down the grid]. To circumvent companies’ security, adversaries must understand the networks well enough to write code that can communicate with tiny computers that control generators and other major equipment. Even then,” the AP writes, “it’s difficult to cause a widespread blackout because the grid is designed to keep electricity to keep electricity flowing when equipment, or lines go down, an almost daily occurrence that customers never see.” Would that statement still be true if the adversary cut the underwater Internet cable’s and/or, hack our satellites?


As I have written many times, there are just too many vulnerabilities, and too many ways to initiate a devastating cyber attack against the U.S. in particular, because we are so network dependent — from our economy, to our national defense. A determined adversary, who is clever, has the time, patience, and resources to do so — can do a lot of significant damage in this area. And, I suspect the number of successful cyber breaches of our critical national infrastructure is probably a lot higher than these twelve incidents.

This is a complex domain, with lots of moving parts and an enormous panoply of vulnerabilities to choose from in order to successfully breach our critical national infrastructure. We have to have a strong cyber deterrence strategy; and, the will to make it too painful on the adversary to conduct such an action. But, when the adversary is not a nation-state; and is instead, something akin to the Islamic State or al Qaeda, the only good Islamic extremist/militant — is a dead Islamic militant, or extremist.

No comments: