National Security

Don’t just fear the power-grid hack. Fear how little the U.S. knows about it

A Black Hat tech associate works in the network operating center during the Black Hat information security conference in Las Vegas July 26, 2017.
A Black Hat tech associate works in the network operating center during the Black Hat information security conference in Las Vegas July 26, 2017. AP

The robust and agressive takedown of part of Ukraine’s power grid by hackers served as a wakeup call for cyber experts and exposed just how much America does not know about foreign operatives’ ability to strike critical U.S. infrastructure.

Electrical grids are on the minds of those gathered at Black Hat, the world’s biggest hacker convention that entered its final day Thursday. The confab draws 16,000 hackers and information technology experts from around the globe.

Worries about infrastructure have grown since presumed Russian government-linked hackers last December shut down power to a section of the Ukrainian capital of Kiev, marking the second straight year they’ve blacked out part of the country as part of Russia’s drive to bring Ukraine back under its geopolitical wing.

Hackers routinely come to the Black Hat convention to demonstrate how to break into electronic systems embedded in medical devices, ATMs, cars, routers and mobile phones. This year, at the 20th annual gathering, one security researcher walked attendees through a hack of a wind farm.

“Wind farm control networks are extremely susceptible to attack,” said the researcher, Jason Staggs, who is affiliated with the University of Tulsa.

Hackers would only have to get access to a single turbine to implant malware that would spread across the wind farm, Staggs said, noting that he had hacked into turbines at multiple wind farms with the permission of operators.

“We can turn the turbine on or turn the turbine off or put it in an idle state,” he said, demonstrating the method for taking digital control of a turbine.

Wind farms provided 4.7 percent of the nation’s electricity in 2015, Staggs said, a percentage that is likely to climb to 20 percent by 2030.

When a 250-megawatt wind farm is left idle due to a malicious hack, the downtime can cost an electric utility between $10,000 and $35,000 an hour, Staggs said.

While wind farms may face vulnerabilities, some experts said the nation’s complex electrical grids are more robust and capable of withstanding a cyberattack.

“The reporting around hacking the grid is often over hyped,” said Tom Parker, a cofounder of FusionX, a firm specializing in cyber threat profiling that was bought in 2015 by Accenture Security, where he is group technology officer.

“Whenever anyone ever says someone could hack the grid, there’s no such thing as a single grid. There are multiple grids in the United States,” Parker said in an interview. “It’s a very complex system. There’s a lot of robustness built into it.”

Any cyberattack on U.S. power plants and electrical grids would only come if a foreign power launched a simultaneous military attack on the United States, Parker said.

Others suggested a lesser attack might occur, affecting only a section of the nation.

“If somebody really wanted to send a message, it hurts to have three or four days of no power to the Eastern Seaboard. That could be done. And there’s also no quick fix,” Sam Curry, chief product officer at Cybereason, a Boston firm, said on the sidelines of the conference.

Late last month, the FBI and the Department of Homeland Security issued an alert saying that foreign hackers were targeting the nuclear, power and critical infrastructure sectors.

Authorities did not say who the hackers were but added that they were not successful at breaching any of their targets, including an unidentified nuclear plant.

“We see this probing going on all the time,” said Joe Slowik, a senior threat intelligence researcher at Dragos Inc., an industrial cybersecurity company based in Fulton, Maryland.

A former member of an elite counterterrorism cyber unit at the National Security Agency, Jay Kaplan, said in an interview that he believes some U.S. rivals have already planted malicious code in the nation’s infrastructure, perhaps including nuclear facilities.

“I do believe that there is a certain percentage of our critical infrastructure that’s already compromised,” said Kaplan, who is chief executive of Synack, a Menlo Park, California, firm that deploys security teams to hack into the networks of clients to test for vulnerabilities.

“This is prepositioning. Should we ever go to war with another nation state, they can leverage this malware for their benefit and basically cripple the economy,” Kaplan said. “I just think it’s reality. … Right now, I don’t feel confident at all.”

The cyberattacks on Ukraine’s power system in 2015 and 2016 have sharpened worldwide focus on hacking aimed at crippling infrastructure.

In a December 2015 attack, hackers cut power to about 225,000 customers serviced by three energy distribution companies. The attack in late 2016 struck a transmission station north of Kiev, blacking out a portion of the capital. Attackers used malware designed to delete data and physically damage industrial control systems, Cybereason said in a report this month.

The team, allegedly Russian, behind the second attack was formidable.

“It looked like there were around 20 people involved in the operation,” said Robert M. Lee, chief executive of Dragos.

Dragos partnered with ESET, a Slovakian security company, to examine the malicious code used in the industrial attack on the Ukrainian power supply.

While the malware was more sophisticated in the 2016 attack, Lee said it could not be easily repurposed to attack U.S. electrical grids, which he described as far more complex.

“Please don’t go reading Ted Koppel’s ‘Lights Out’ book and think you may need to build a bunker,” Lee said. “Things will be okay.”

But Lee added that authorities routinely overestimate their cyber defensive abilities and do not know for certain if malicious worms already reside within the infrastructure.

“The scary part of it is we simply do not know because the government tends to think it has more control over certain infrastructure than it actually does,” Lee said.

Tim Johnson: 202-383-6028, @timjohnson4