One of the cyber doomsday scenarios often painted by security advocates is an attack on the U.S. energy grid. Mechanized farms would be frozen, communication and innovation gone, and the U.S. economy brought to a standstill. A coordinated cyberattack using existing technology could bring the country to its knees.
After surveying more than 100 energy companies in May, Representatives Edward Markey and Henry Waxman said more than a dozen of the companies reported “daily,” “constant,” or “frequent” attempts of people trying to hack their networks. One utility reported it faced close to 10,000 attacks each month.
During his 2013 State of the Union Address, President Barack Obama warned of the growing threats in cyberspace, saying “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.”
The threat is what led Obama to sign an executive order in February on “Improving Critical Infrastructure Cybersecurity,” which established information sharing programs and directed government resources towards securing critical systems necessary to keep the nation running. It states, “cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
Critical infrastructures include the financial sector, transit systems, the energy grid, and water purification facilities, among others. The White House executive order on cybersecurity classifies them as systems “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
“Risks to critical infrastructure are real,” said Tiffany Rad, a senior researcher at Kaspersky Lab, in an email interview.
She cited several examples, including a study by security company Trend Micro where researchers set up 12 fake systems meant to mimic remote control systems of American municipal water plants. They watched as the fake systems were hacked more than 70 times, and noted that China and Russia were the most aggressive. The study was taken as proof that state actors are actively trying to exploit security holes in critical systems.
“If those research results are combined with a DHS report in 2012, which listed a significant increase in attacks on the U.S. critical infrastructure, it suggests that this is a threat to be taken seriously,” Rad said.
The current state of cybersecurity for the energy grid, in particular, is two-pronged. On one side, the rate of attacks is growing and becoming more sophisticated. On the other side, security systems are at a level beyond the reach of the common hacker.
James Clapper, director of National Intelligence, dispelled some concern in a March 12 statement before the Senate. He said while there may be minor attacks, there is a “remote chance” of a major cyberattack on U.S. critical infrastructures over the next two years “that would result in long-term, wide-scale disruption of services, such as a regional power outage.”
He said, however, the level of skill required for such an attack is beyond that of almost anyone other than state actors. And countries with these capabilities, including Russia and China, “are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”
Yet, while there have been no devastating attacks, state actors have gained access to critical networks.
More than 100 attacks against industrial control systems were listed between October 2012 and May 2013, by the Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).
So far in 2013, the Department of Homeland Security reports that 23 gas pipelines have been hacked, according to a report from security company FireEye. It states the attacks were “possibly for sabotage.” The report also notes that “Chinese hackers were seen at the U.S. Army Corps of Engineers’ National Inventory of Dams.”
Motives for attacks on oil and gas industries differ. Some are state actors wanting information that can help them beat out international competition to land contracts. Some are smaller hacker groups or terrorists wanting to cause harm. Others have gained access then laid dormant, waiting with unknown purposes.
A June report from the Council on Foreign Relations places cyberattacks against oil and gas industries into two categories. The first is cyberespionage on a company’s communications or data to gather intelligence to undermine the company in the global market or to gather intelligence on weaknesses for potential attacks. The second is attacks to disrupt critical business or physical operations.
“Once in the system, an infiltrator could in theory cause the flow of natural gas through a pipeline to grind to a halt, trigger an explosion at a petrochemical facility, or do damage to an offshore drilling rig that could lead to an oil spill,” the report states. “Such threats now have the potential to cause environmental damage, energy-supply outages for weeks or months, and even the loss of human life.”
One of the best known breaches was by Chinese state actors in a cyberespionage campaign, which security company McAfee dubbed “Night Dragon” in February 2011. It targeted global oil, energy, and petrochemical companies and was harvesting data from them on “sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.”
McAfee CTO George Kurtz wrote on his blog that the information Chinese hackers were spying on “can make or break multibillion dollar deals in this extremely competitive industry.”
Smaller hacker groups have also made a dent in the field. In 2012, an Iranian hacker group called “Cutting Sword of Justice,” attacked Saudi Arabia’s national oil company Aramco with a virus called “Shamoon.” According to a report from security company FireEye, the Iranian hackers were able to delete data from three-quarters of the company’s computers, 30,000 computers in all. They deleted documents, emails, and other files, which they replaced with pictures of burning American flags.
The Shamoon attack used a variation of Stuxnet, a highly advanced virus discovered in June 2010 that was able to infect and physically destroy centrifuges at an Iranian nuclear facility.
Rad reiterated the point that high-level attacks from “a sophisticated malicious attacker” are the leading concern when it comes to security on critical systems.
She noted, however, that such attacks are not necessarily limited to state actors. “What independent security researchers have shown is that it does not take a lot of financial backing to create damaging exploits for [Industrial Control Systems] that could be defined as ‘high level,’ but it takes advanced and persistent threats, which may as easily come from an individual as a nation state.”