U.S. Energy Is Under Attack

Russia has been quietly breaching U.S. power plants, including nuclear facilities. What’s the damage done, and what should energy companies do now?

Russia Hack U.S. Nuclear Energy

While President Trump was finally meeting Vladimir Putin at the G20 summit, a joint statement from the Department of Homeland Security (DHS) and FBI was causing reverberations back in the States. Hackers, the agencies warned, had reportedly breached at least a dozen U.S. energy facilities—the Wolf Creek nuclear facility in Kansas, among them—since May. The suspected culprit: Russia.

That’s not an outrageous conclusion, given mounting evidence that the Kremlin has, for years, been laying down the groundwork for large-scale cyber assaults. As the FBI and the American public contemplate its role in influencing the last presidential election, Russia has (allegedly) engaged in systematic blows at the Ukraine’s infrastructure. And yes, the latter has accused Russian of rigging their elections, too.

In a story bluntly titled, “How an Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired points out that since 2014, “A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy.” This includes a pair of attacks—the second far more automated and sabotage-focused—on Ukraine power plants. Even the recent Petya global malware outbreak is thought to be another assault on the Ukraine—with 60% of impacted systems, including those at the Chernobyl plant, located in that country. Said Kenneth Geers, a NATO ambassador with a focus on cybersecurity, to Wired, “You can’t really find a space in Ukraine where there hasn’t been an attack.”

The outcome of those tests are making their way to the U.S.

This month’s alert isn’t the first time the DHS has sounded an alarm related to energy-industry breaches. In 2014, it announced that hackers had infected multiple utility-company networks with Russian malware called Black Energy. Those incidents were thought to establish backdoor system access. In contrast, the recent incidents, reports the New York Times, “appeared determined to map out computer networks for future attacks.” Their common target: industrial control engineers with access to critical control systems.

nuclear plant hack

The FBI and DHS announcement underscores concern that Russia’s recon missions and backdoor installations are not being spotted quickly enough, and subsequently shut down, by threshold-based security. Detected too late, these intrusions can escalate into the manipulation or shutting down of SCADA software, which control critical infrastructure and can be remotely accessed by hackers.

Security analytics—which baselines and detects anomalies in behavior—is immeasurably helpful in detecting advanced persistent threats and gaining actionable intelligence from prior incidents. For instance, the recent investigation has linked breach techniques to those of the Russian hacking group Energetic Bear, which has plagued the energy sector for at least five years now. And in recent two months, hackers infiltrated systems through three common techniques: spear-phishing (in this case, résumé attachments), watering-hole assaults (infecting frequently visited websites), and man-in-the-middle attacks (intercepting web traffic). They were stealing, says the Washington Post, “network log-in and password information to gain a foothold in company networks.”

Wolf Creek claims its nuclear-plant operations remain unaffected. “The reason is that the plant’s operational computer systems are completely separate from the corporate network,” their spokesperson told the Washington Post. “The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the Internet.” The New York Times also quotes E&E News, a trade publication, as saying, “U.S. authorities are investigating cyber-intrusions affecting multiple nuclear-power-generation sites.”­

Nuclear energy companies frequently create an “air gap” that separates business from operations systems. In contrast to the networks of other energy companies (which frequently bridge business and industrial networks), this safeguard makes access to critical infrastructure more difficult. But even an air gap is not a certain defense. Writes Wired, “Although air-gapped systems were believed to be more secure in the past, since they required an attacker to have physical access to breach them, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief.”

There is a dire need for analytics-based protection, because there are always exceptions to security rules. Add to that process control (namely, OPC) that operates on outdated Windows XP machines—expensive to replace, yet no longer supported by Microsoft—and energy systems are incredibly vulnerable, especially to Russia’s slow-and-steady strategy. Right now, Kremlin paranoia can be a great, if necessary, motivator for energy companies.