At a Passcode event Thursday, Deputy Secretary of the Department of Energy Elizabeth Sherwood-Randall said the unprecedented cyberattack in Ukraine provides valuable lessons for the US power industry.
Four months after malicious hackers infiltrated a Ukraine utility and cut power to some 230,000 people, the US government says it’s continuing to learn valuable lessons from the unprecedented cyberattack.
“What happened in Ukraine is an opportunity for us to learn about the kinds of threats that we may face, and to innovate in the face of those threats,” said Elizabeth Sherwood-Randall, deputy secretary of the Department of Energy, at a Passcode event Thursday to examine the growing cyberthreat to the electric grid. “Because of the evolving threat environment, we know we need to invest in a safer grid.”
The December attack in Ukraine’s Ivano-Frankivsk region was certainly a wake-up call for the US power sector. Security experts have long warned that hackers could one day compromise control systems inside utilities and cause power outages. Those concerns were realized in the Ukraine incident, the first confirmed cyberattack to cause a power outage at a utility, and have since led to officials, experts, and lawmakers to call on the industry to do more to safeguard US utilities.
At Passcode’s “Guarding the Grid” event (watch the full event here), Tom Fanning, chief executive officer of the utility giant Southern Company, Rep. Will Hurd (R) of Texas, and Robert M. Lee, chief executive officer of the cybersecurity firm Dragos Security, joined Sherwood-Randall to discuss what the US energy sector is doing as a result of the Ukraine attack, and whether it’s enough to counter the emerging threats.
Here are some key takeaways:
1. The US has long been working to combat BlackEnergy malware
US officials and utility executives have known about the threat from BlackEnergy malware, which Mr. Fanning called “one of the major enablers behind the Ukraine attack,” for at least two years. In fact, in 2014, Homeland Security reported that it had uncovered a “sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments” that relied on BlackEnergy.
“BlackEnergy has been around for a long time,” said Fanning. “BlackEnergy was not designed to attack energy. It was originally focused on things like the finance industry,” he said. But, he said, “it has a lot of functionality” – comparing it to something akin to a digital “Swiss Army Knife” in the hackers’ toolbox. In the case of Ukraine, he said, it probably “allowed people to get in.”
But while the Ukraine attack, and the depth of the hackers’ penetration into the systems there is unprecedented, Fanning noted that it affected power distribution and not transmission. “An attack on the distribution level would not have the same widespread impact as a successful attack on transmission,” he said. “It is by its nature going to be more local and, by it’s nature, it is more controllable.”
2. Information sharing is critical – but is it happening fast enough?
In the weeks after the Ukraine grid hack, as many experts and officials were just beginning to realize the scope of the attack, government agencies such as DHS and DOE remained fairly quiet. The attack occurred on Dec. 23, but it wasn’t until Feb. 25 that DHS issued its report publicly confirming the attack and providing more details.
At Thursday’s event, Sherwood-Randall said, “We provided the facts as we understood them. That’s our responsibility, to put out information about threats as we know them.”
But security researchers such as Mr. Lee, who traveled to Ukraine after the incident to help investigate the attack, said the government should have moved faster when it came to getting out the necessary information to the public.
“We’ve been talking about cyberattacks against infrastructure for a long time,” he said. “It’s not a new concept.” Yet, he said, “I did not like to see that two month gap between announcement of it occurring and a DHS response.”
What’s more, said Lee, the event was of such a significant scale that ” we should have a response,” he said. “It’s hard to have a national discussion around threat information sharing … and then not share things.”
But Fanning said that, regardless of the public report, the energy sector had much of the information it needed quickly after the Ukraine attack was first reported. “When Ukraine happened … we let everyone know what was going on,” he said. “We weren’t going to be public until we knew everything,” he said. “We weren’t waiting two months before we took action.”
Read full article at Christian Science Monitor