U.S. power grid vulnerable to cyberattacks

By Grance Burke and Jonathan Fahey
Posted on January 05, 2016

Brian Wallace, a security researcher at the cybersecurity firm Cylance, was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States’ power grid. The attack involved Calpine Corp. — a power producer with 82 plants operating in 18 states and Canada.

Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title “Mission Critical.” The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes.

Wallace was astonished. But this breach, the Associated Press has found, was not unique. The AP conducted more than 120 interviews looking at the vulnerability of the energy grid as part of a yearlong examination of the state of the nation’s infrastructure.

Cyberattacks designed to steal information are steadily growing in scope and frequency; there have been high-profile hacks of Target, eBay and federal targets such as the U.S. Office of Personnel Management.

But assaults on the power grid and other critical infrastructure aim to go a step further. Trained, well-funded adversaries can gain control of physical assets — power plants, substations and transmission equipment. With extensive control, they could knock out the electricity vital to daily life and the economy, and endanger the flow of power to mass transportation, military installations and home refrigerators.

According to a previously reported study by the Federal Energy Regulatory Commission, a coordinated attack on just nine critical power stations could cause a coast-to-coast blackout that could last months, far longer than the one that plunged the Northeast into darkness in 2003.

Foreign governments involved

About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter.

The public almost never learns the details about these types of attacks. They’re rarer, but also potentially more dangerous than data theft. Information about the government’s response to these hacks is often protected and sometimes classified; many are never even reported to the government.

These intrusions have not caused the kind of cascading blackouts that are feared by the intelligence community. But so many attackers have stowed away in the largely investor-owned systems that run the U.S. electric grid that experts say they likely have the capability to strike at will.

In 2012 and 2013, in well-publicized attacks, Russian hackers successfully sent and received encrypted commands to U.S. public utilities and power generators. Some private firms concluded this was an effort to position interlopers to act in the event of a political crisis.

And the Department of Homeland Security announced about a year ago that a separate hacking campaign — believed by some private firms to have Russian origins — had injected software with malware that allowed the attackers to spy on U.S. energy companies.

Private firms have alleged other recent hacks of networks and machinery tied to the U.S. power grid were carried out by teams from within Russia and China, some with governmental support.

Even the Islamic State group is trying to hack American power companies, a top Homeland Security official told industry executives last October.

An outdated, vulnerable system

Many of the substations and equipment that move power across the U.S. are decrepit and were never built with network security in mind. Hooking them up to the Internet over the last decade has given hackers new backdoors in.

Plus, hundreds of contractors sell software and equipment to energy companies, and attackers have successfully used those outside companies as a way to get inside networks tied to the grid.

The rush to tie smart meters, home programmable thermostats and other smart appliances to the grid also is causing fresh vulnerabilities. About 45 percent of homes in the U.S. are hooked up to a smart meter, which measures electricity usage and shares information with the grid. Their security is flimsy. Some can be hacked by plugging in an adapter that costs $30 on eBay, researchers say.

The attack involving Calpine is particularly disturbing because the cyberspies grabbed so much, according to previously unreported documents and interviews.

Cybersecurity experts say the breach began at least as far back as August 2013, and could still be going on today.

Calpine spokesman Brett Kerr said the company’s information was stolen from a contractor that does business with Calpine. He said the stolen diagrams and passwords were old — some diagrams dated to 2002 — and presented no threat, though some outside experts disagree.

Kerr would not say whether the configuration of the power plants’ operations networks — also valuable information — remained the same as when the intrusion occurred, or whether it was possible the attackers still had a foothold.

According to the AP investigation, the hackers got:

— User names and passwords that could be used to connect remotely to Calpine’s networks. Even if some of the information was outdated, experts say skilled hackers could have found a way to update the passwords and slip past firewalls to get into the operations network. Eventually, they say, the intruders could have shut down generating stations, fouled communications networks, and possibly caused a blackout near the plants.

— Detailed engineering drawings of networks and power stations from New York to California — 71 in all — showing the precise location of devices that communicate with gas turbines, boilers and other crucial equipment attackers would need to hack specific plants.

— Additional diagrams showing how those local plants transmit information back to the company’s virtual cloud — knowledge attackers could use to mask their activity.

Calpine didn’t know its information had been compromised until it was informed by Cylance, Kerr said.

Cylance notified the FBI, which warned the U.S. energy sector in an unclassified bulletin last December that a group using Iran-based IP addresses had targeted the industry.

Homeland Security spokesman SY Lee said that his agency is coordinating efforts to strengthen grid cybersecurity nationwide and to raise awareness about evolving threats to the electric sector through industry trainings and risk assessments. As Deputy Secretary Alejandro Mayorkas acknowledged in an interview, however, “we are not where we need to be” on cybersecurity.

That’s partly because the grid is largely privately owned and has entire sections that fall outside federal regulation, which experts argue leaves the sector poorly defended against a growing universe of hackers seeking to access its networks.

No one claims that it would be easy to bring down the grid. To circumvent companies’ security, adversaries must understand the networks well enough to write code that can communicate with tiny computers that control generators and other major equipment. Even then, it’s difficult to cause a widespread blackout because the grid is designed to keep electricity flowing when equipment or lines go down — an almost daily occurrence that customers never see.

Because it would take such expertise to plunge a city or region into darkness, some say threats to the grid are overstated — in particular, by those who get paid to help companies protect their networks. Still, even those who said the risks of cyber threats can be exaggerated agree it is possible for cyberattackers to cause a large-scale blackout.

Authorities say they take the threat seriously. Homeland Security said it had helped more than 100 energy and chemical companies improve their cyber defenses, and held both classified and unclassified briefings in June 2013 and late 2014 on threats to companies associated with power grid operations.

Still, even the utility companies’ own experts, who maintain it would be extraordinarily difficult for a hacker to knock out power to customers, admit there is always a way in.

“If the motivation is high enough on the attacker side, and they have funding to accomplish their mission, they will find a way,” said Sean Parcel, lead cyberinvestigator for American Electric Power. — AP