DHS Warns that Russians Hacked Control Rooms

Department of Homeland Security (DHS) officials in a July 24 webinar said that Russian hackers infiltrated a power plant industrial control system (ICS) in an incident that could have caused a blackout last year. However, as an industrial cybersecurity expert pointed out—and a DHS spokesperson confirmed—the impact of the incident may be overstated.

The expert and DHS responded to a widely cited Wall Street Journal report published on July 23, which said a continuing cyber threat campaign may be spearheaded by a state-sponsored group known as Dragonfly or Energetic Bear. The activity, which resulted in breaches of supposedly secure “air-gapped” or isolated networks to get into U.S. utility control rooms, claimed “hundreds of victims” and “got to a point where they could have thrown switches,” Jonathan Homer, chief of ICS analysis for DHS, told the newspaper.

Correcting the Record

But according Dragos—a cybersecurity firm that closely monitors ICS cyber threats—while such activity may have occurred, the claim is overblown. Dragos CEO Robert Lee told POWER in a statement that the “messaging in the [Wall Street Journal] article around ‘throwing switches’ and causing ‘blackouts’ is misleading on the impact of the targeting that took place. What was observed is incredibly concerning but images of imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks.”

Lee added, however, that highlighting ongoing risk is important. The DHS “has done a great job amplifying what was previously identified by the private sector and adding their own information,” he said.

In a statement to POWER later on July 24, DHS spokesperson Lesley Fulop confirmed the activity it outlined in the webinar “to share actionable information” with industry and government partners took place last summer. But she dispelled the notion that it claimed “hundreds of victims.”

“While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline. Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat,” she said. “We will continue our strong public-private partnership and remain vigilant in defending critical infrastructure.”

Fulop noted that industry has “invested significant resources in defending against nation state actors and this investment is working.” However, she added, DHS continues vast efforts to protect critical infrastructure in partnership with industry.

The Dragonfly Threat Continues to Hover

The DHS, for example, in October 2017 provided a cursory profile of Dragonfly and its distinct tactics, sourcing information gleaned by private cybersecurity firms in their vigilance against cyber threats. According to this information, Dragonfly has reportedly stepped up cyberattacks aimed at severely crippling operations in the European and North American energy sectors. The DHS lists the threat under “reported Russian military and civilian intelligence services,” along with BlackEnergy, Energetic Bear, and Havex. Earlier this year, power plant cybersecurity experts told POWER that the campaign appears to be specifically targeting operational technology (OT), likely with intent on gathering specific intelligence on operational networks and the technologies they can use to plan future attacks.

In March 2018, the DHS issued its first dire warning that Russian government cyber threat actors have infiltrated workstations and servers of corporate networks containing data output from industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems associated with an unnamed number of power plants. That warning was part of a technical alert jointly released with the FBI providing information on the compromises as part of a multi-stage intrusion campaign carried out by Dragonfly.

The U.S. government has since stepped up its role in protection of critical infrastructure against the surge of growing—and evermore insidious—cybersecurity threats.

In May, the Department of Energy released a multiyear strategy to help industry “gain an upper hand” in the fight against cybersecurity. In June, the Treasury Department slapped sanctions on five Russian firms and three Russian individuals for several “significant” malicious cyber-enabled activities, including cyber intrusions in the U.S. energy grid, though it declined to provide details on the nature of those intrusions.

Concerned about a gap in information about attempted cyber-intrusions, on July 19 the Federal Energy Regulatory Commission ordered the North American Electric Reliability Corp. to broaden, within six months, its Critical Infrastructure Protection (CIP) reliability standards to include mandatory reporting of cybersecurity incidents that could harm the bulk electric system.

The DHS’s comments on July 23 came in the first of a series of webinars launched by the National Cybersecurity and Communications Integration Center (NCCIC)—the DHS’s hub created to encourage coordination between government agencies and the private sector—that is focused on Russian government cyber activity against critical infrastructure. Other webinars in the series are scheduled on July 25, July 30, and August 1. Attendees may only access the webinar as guests on the day of each event.

The DHS also plans to host a National Cybersecurity Summit on July 31, 2018, in New York City. The summit will bring together “a broad group of representatives from across government including officials from Department of Defense, National Security Agency, Federal Bureau of Investigation, Department of Energy, and Department of Treasury,” the agency said last week. “They will be joined by academia and industry CEOs across sectors including telecom, financial, and energy to lay out a vision for a collective defense model to protect our nation’s critical infrastructure. Through panels, keynote addresses, and breakout sessions, the summit will serve as a launching point for a number of DHS initiatives to advance cybersecurity and critical infrastructure risk management.”

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)

Updated (July 23): Adds comments from DHS, Dragos