Tag Archives: cyber attack power grid

The Under-Our-Noses Nasty Wars

Leave a reply

Christopher Wray warned in February 2023 that Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat. Citing Volt Typhoon, the name given to the Chinese hacking network that was revealed in 2023 to be lying dormant inside U.S. critical infrastructure, Wray said Beijing-backed actors were pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.

The Netherlands’ spy agencies said in February 2024 that Chinese hackers had used malware to gain access to a Dutch military network in 2023. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.

A report released in February 2024 by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies…

Excerpts from  Joe Parkinson, BI Director Says China Cyberattacks on U.S. Infrastructure Now at Unprecedented Scale, WSJ, Feb. 19, 2024

Visible and Vulnerable: the Power Grid and Terrorism

Leave a reply

Physical attacks on the U.S. power grid rose 71% last year compared with 2021 and will likely increase this year, according to a confidential industry analysis viewed by The Wall Street Journal. A division of the grid oversight body known as the North American Electric Reliability Corporation found that ballistic damage, intrusion and vandalism largely drove the increase. The analysis also determined that physical security incidents involving power outages have increased 20% since 2020, attributed to people frustrated by the onset of the pandemic, social tensions and economic challenges.

The NERC division, known as the Electricity Information Sharing and Analysis Center, or E-ISAC, recorded the sharp increase in incidents in 2022, driven in part by a series of clustered attacks on infrastructure in the Southeast, Midwest and Pacific Northwest. One of the most significant incidents occurred in early December 2022 when attackers targeted several substations in North Carolina with gunfire, leaving roughly 45,000 people in the dark…The number of politically or ideologically motivated attacks appears to be growing though it is difficult to identify the reasons for each one.  There seems to be a pattern where people are targeting critical infrastructure, probably with the intent to disrupt. In 2013, snipers targeted a large-scale transmission substation near San Jose, Calif., and raised fears that the country’s power grid was vulnerable to terrorism. The attack took out 17 transformers critical to supplying power to Silicon Valley, authorities said. A former federal regulator at the time called the event “the most significant incident of domestic terrorism involving the grid that has ever occurred.”

Excerpts from Katherine Blunt, Power-Grid Attacks Surge and Are Likely to Continue, Study Finds, WSJ, Feb. 22, 2023

The Wild West Mentality of Companies Running the U.S. Oil and Gas Infrastructure — and Who Pays for It

Leave a reply

The ransomware attack on Colonial Pipeline Co. in May 2021 has hit an industry that largely lacks federal cybersecurity oversight, leading to uneven digital defenses against such hacks.

The temporary shutdown of Colonial’s pipeline, the largest conduit for gasoline and diesel to the East Coast, follows warnings by U.S. officials in recent months of the danger of cyberattacks against privately held infrastructure. It also highlights the need for additional protections to help shield the oil-and-gas companies that power much of the country’s economic activity, cyber experts and lawmakers say. “The pipeline sector is a bit of the Wild West,” said John Cusimano, vice president of cybersecurity at aeSolutions, a consulting firm that works with energy companies and other industrial firms on cybersecurity. Mr. Cusimano called for rules similar to the U.S. Coast Guard’s 2020 regulations for the maritime sector that required companies operating ports and terminals to put together cybersecurity assessments and plans for incidents.

 More than two-thirds of executives at companies that transport or store oil and gas said their organizations are ready to respond to a breach, according to a 2020 survey by the law firm Jones Walker LLP. But many don’t take basic precautions such as encrypting data or conducting dry runs of attacks, said Andy Lee, who chairs the firm’s privacy and security team. “The overconfidence issue is a serious phenomenon,” Mr. Lee said.

Electric utilities are governed by rules enforced by the North American Electric Reliability Corp., a nonprofit that reviews companies’ security measures and has the power to impose million-dollar fines if they don’t meet standards. There is no such regulatory body enforcing standards for oil-and-gas companies, said Tobias Whitney, vice president of energy security solutions at Fortress Information Security. “There aren’t any million-dollar-a-day potential fines associated with oil-and-gas infrastructure at this point,” he said. “There’s no annual audit.”

Excerpt from David Uberti and Catherine Stupp, Colonial Pipeline Hack Sparks Questions About Oversight, WSJ, May 11, 2021

The Nightmare of Keeping the Lights On

Leave a reply

Some 330 million Americans rely on the nation’s critical infrastructure to keep the country humming. Disruptions to electrical grids, communications systems, and supply chains can be catastrophic, yet all of these are vulnerable to cyberattack. According to the government’s 2019 World Wide Threats Hearing, certain adversaries are capable of launching cyberattacks that can disrupt the nation’s critical infrastructure – including electrical distribution networks.

In recognition of the disruptions cyberattacks can cause, DARPA in 2016 established the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program. The goal of RADICS has been to enable black-start recovery during a cyberattack. Black start is the process of restoring power to an electric substation or part of the grid that has experienced a total or partial shutdown without relying on an external power transmission network to get things back online…

“Cyberattacks on the grid can essentially do two things – make the grid not tell you the truth, and make the grid operate in an unexpected way,” said Walter Weiss, the program manager responsible for RADICS. “For example, the grid could show you that a substation has power when in reality it does not. This could unintentionally prevent power restoration to an entire area since no one thinks there is a need to bring power back online. The technologies developed under RADICS help provide ground truth around grid status, giving responders the ability to quickly detect anomalies and then chart a path towards recovery.”…

 The RADICS testbed is comprised of miniaturized substations that were designed to operate as they do in the real world, but with safeguards to protect the system and those operating the substations. The substations are connected via power lines, forming a multi-utility crank path. With a crank path, power is generated to black start one utility that then powers the next utility and the next until the grid is fully restored.

DARPA substation, Plum island NY

Technologies to Rapidly Restore the Electrical Grid after Cyberattack Come Online, DARPA Website, Feb. 23, 2021

Cyber-Attacking Nuclear Plants: the 3 000 cyber bugs

Leave a reply

In the first half of 2019 , no country endured more cyber-attacks on its Internet of Things—the web of internet-connected devices and infrastructure—than India did. So asserts Subex, an Indian telecommunications firm, which produces regular reports on cyber-security. Between April and June of 2019, it said, recorded cyber-attacks jumped by 22%, with 2,550 unique samples of malware discovered. Some of that malicious code is turning up in hair-raising places.

On October 28, 2019 reports indicated that malware had been found on the computer systems of Kudankulam Nuclear Power Plant in Tamil Nadu, the newest and largest such power station in India. Pukhraj Singh, a cybersecurity researcher who formerly worked for the National Technical Research Organisation (NTRO), India’s signals-intelligence agency, says he was informed of the malware by an undisclosed third party in September, and notified the government.The attackers, he said, had acquired high-level access and struck “extremely mission-critical targets”…. On October 30, 2019 the body that operates nuclear power plants acknowledged, sheepishly, that a computer had indeed been infected, but it was only an “administrative” one.

Sensitive sites such as power plants typically isolate the industrial-control systems (those that control the workings of a plant) from those connected to the wider internet. They do so using air-gaps (which involve disconnecting the system from the wider world), firewalls (which monitor data-flows for suspicious traffic) or data diodes (which allow information to flow out but not in).

But breaching a computer on the outside of these digital moats is nevertheless troubling. It could have given the attackers access to sensitive emails, personnel records and other details which would, in turn, make it easier to gain access to the more isolated operational part of the plant. America and Israel are thought to have sneaked the devastating Stuxnet virus into Iran’s air-gapped uranium-enrichment plant at Natanz around 2007 by planting a USB stick on a worker, who carried it inside and plugged it in.

The culprit behind the Kudankulam attack is unknown, but left some clues. The malware in question is from a family known as DTrack, which gives attackers an intimate look at what victims are doing—down to their keystrokes. It is typically used to monitor a target, making it easier to deliver further malware. DTrack was originally developed by a group of hackers known as the Lazarus Group, who are widely assumed to be controlled or directed by North Korea.

Excerpts from On the DTrack: A cyber-attack on an Indian nuclear plant raises worrying questions, Economist, Nov. 1, 2019

Power Grid: smart and sensitive

Leave a reply

Raytheon Company  and Utilidata have formed a strategic alliance to help power utilities proactively detect, defend against and respond to cyber threats.  The effort will combine Utilidata’s experience in the use of real-time data from the electrical grid to detect and respond to cyber attacks and Raytheon’s expertise in proactive cyber threat hunting, automation and managed security services to provide world-class cybersecurity, analytics and other innovative technologies….

[According to] Scott DePasquale, chairman and CEO of Utilidata. “With more and more devices and systems connected to the internet, and all of them needing electrical power, these challenges are increasing exponentially. This new alliance will help define the future of cybersecurity in the power utilities sector.”  In December 2015, a cyber attack shut down a large section of the Ukrainian power grid – an incident that the Department of Energy identified in the 2017 installment of the Quadrennial Energy Review as an ‘indicator of what is possible.’

Excerpts from  Raytheon, Utilidata to deliver defense-grade cybersecurity for utilities, PRNewswire, Feb. 8, 2017

Hacking the Power Grid

Leave a reply

In Ukraine on Dec. 23, 2015 the power suddenly went out for thousands of people in the capital, Kiev, and western parts of the country. While technicians struggled for several hours to turn the lights back on, frustrated customers got nothing but busy signals at their utilities’ call centers….Hackers had taken down almost a quarter of the country’s power grid, claimed Ukrainian officials.  Specifically, the officials blamed Russians for tampering with the utilities’ software, then jamming the power companies’ phone lines to keep customers from alerting anyone….Several of the firms researching the attack say signs point to Russians as the culprits. The malware found in the Ukrainian grid’s computers, BlackEnergy3, is a known weapon of only one hacking group—dubbed Sandworm by researcher ISight Partners—whose attacks closely align with the interests of the Russian government. The group carried out attacks against the Ukrainian government and NATO in 2014…

The more automated U.S. and European power grids are much tougher targets. To cloak Manhattan in darkness, hackers would likely need to discover flaws in the systems the utilities themselves don’t know exist before they could exploit them. In the Ukrainian attack, leading security experts believe the hackers simply located the grid controls and delivered a command that shut the power off. Older systems may be more vulnerable to such attacks, as modern industrial control software is better at recognizing and rejecting unauthorized commands, says IOActive’s Larsen.

That said, a successful hack of more advanced U.S. or European systems would be a lot harder to fix. Ukrainian utility workers restored power by rushing to each disabled substation and resetting circuit breakers manually. Hackers capable of scrambling New York’s power plant software would probably have to bypass safety mechanisms to run a generator or transformer hotter than normal, physically damaging the equipment. That could keep a substation offline for days or weeks, says Michael Assante, former chief security officer for the nonprofit North American Electric Reliability.

Hackers may have targeted Ukraine’s grid for the same reason NATO jets bombed Serbian power plants in 1999: to show the citizenry that its government was too weak to keep the lights on. The hackers may even have seen the attack as in-kind retaliation after sabotage left 1.2 million people in Kremlin-controlled Crimea without lights in November 2015. In that case, saboteurs blew up pylons with explosives, then attacked the repair crews that came to fix them, creating a blackout that lasted for days. Researchers will continue to study the cyber attack in Ukraine, but the lesson may be that when it comes to war, a bomb still beats a keyboard.

Excerpts How Hackers Took Down a Power Grid, Bloomberg Business Week, Jan. 14, 2016