WASHINGTON (Circa) — The idea of hackers being able to shut off power to a major U.S. city seemed like a distant threat a few years ago, but now it's a close reality that officials warn the United States is not prepared to meet.
At the end of July, the Department of Homeland Security hosted a first of its kind cybersecurity summit in New York, bringing together stakeholders from the private sector, academia and multiple federal agencies, including defense and intelligence.
"I won't sugar-coat it," Homeland Security Secretary Kirstjen Nielsen told attendees, "Everyone and everything is a target."
Comparing the threat to America's critical infrastructure to a coming "Cat 5 hurricane," she warned, "Our adversaries' capabilities online are outpacing our stove-piped defenses. In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us."
The warning echoed the one delivered by Director of National Intelligence Dan Coats last month when he said the system is "blinking red" and described America's vulnerability to a cyberattack in terms of the period before September 11, 2001.
For those working in cybersecurity and among the nation's more than 3,000 utilities, these warnings were not new.
Gregory White is the director of the University of Texas San Antonio Center for Infrastructure Assurance and Security, one of the nation's centers of academic excellence in cyber operations. Since 2002, government and private utilities have been working to address possible attacks on critical infrastructure.
"This is not a recent development," White noted. "What is different now is that folks are finally waking up to the possibilities."
In recent years, there seems to be one wake-up call after another. In 2016, the United States experienced the greatest number of cybersecurity breaches in U.S. history, including 16 targeting utilities, and of course, the cyberattacks around the presidential election.
According to one risk assessment, the impact of a cyberattack that shut down parts of the U.S. power grid could be massive, costing as much as $1 trillion. Intelligence agencies have been wary to calculate the possible impact of a prolonged power outage caused by a cyberattack, which would have carry-over effects on virtually every other piece of critical infrastructure.
One of the most shocking developments came in March when officials at DHS and the FBI confirmed Russian government cyber actors penetrated the computers of multiple U.S. electric utilities in a 2017 campaign and gained remote access to energy sector networks.
Last month, officials provided more details about the extent of the campaign that is likely still ongoing, noting the hackers gained enough access to cause blackouts and otherwise control critical systems. "They got to the point where they could have thrown switches," Jonathan Homer, chief of industrial-control-system analysis for DHS told the Wall Street Journal.
That's different from what U.S. intelligence agencies had seen before, and it matters. Nation-state actors, particularly Russia, which successfully, temporarily disabled Ukraine's energy grid in 2015, but also China, Iran and North Korea, have been investing in a sophisticated cyber arsenal and now appear to be testing those capabilities.
"You're starting to see adversaries get more comfortable engaging in computer network attacks," said Frank Cilluffo, the director of the Center for Cyber and Homeland Security (CCHS) at George Washington University. "This is more than simply probing and identifying vulnerabilities in the industrial control systems but actually demonstrating a capability to exploit them."
For America's private utility companies, who control a significant portion of U.S. energy generation and the bulk of the transmission and distribution system, the problem has become overwhelming. Few if any industry leaders went into business imaginging they would have to defend their daily operations against foreign intelligence agencies or nation-state actors.
In a recent survey of utility executives, a majority named physical and cybersecurity as the most pressing concern for their companies.
At a recent CCHS conference, Duke Energy's leading cybersecurity executive, Brian Harrell said the company was hit by more than 650 million cyber attempts in 2017 aimed at breaching the system. A successful breach could potentially affect 7.6 million customers in the Southeast and Midwest and the company's 50 gigawatts of electricity generation.
Duke Energy recently reported that they encountered 650 million cyber breach attempts to their systems in 2017. Since then, they've invested millions in physical security and cybersecurity upgrades.#investinIT #cybersecurity #preparehttps://t.co/mqErmfcLdV pic.twitter.com/xrnIy0HifL— Kyber Security (@KyberSecurity) July 16, 2018
The CEO of one of the largest U.S. utility companies said at last month's cybersecurity summit in New York that bad actors have their sites on "the crown jewels," breaching energy management systems. "We are under the biggest threat that has never been reported, ever," warned Tom Fanning, the head of Southern Company.
Amid the threat, companies like Southern and Duke have invested millions in cybersecurity, physical security upgrades and most importantly redundancy.
As Fanning sounded the alarm over grid security, he also explained that even if "the bad guys" got to "the crown jewels," Southern has a second system synced-up within milliseconds, to ensure the power supply for the company's roughly 9 million customers. Fanning boasted, "You wouldn't know if that happened."
Until recently, private power companies were largely left to their own devices to monitor and repel intrusions from sophisticated cyber actors. That is beginning to change as individuals in the private sector recognize the need for additional help and the federal government becomes more capable of providing it.
According to Laura Schepis, executive director of the Partnership for Affordable Clean Energy and longtime coordinator of public-private cybersecurity efforts, the Trump administration has played an important role in continuing to push for grid security.
"When the Trump administration came in for the transition, I was really encouraged by the focus, attention and dedication they gave to it — bringing in industry partners, reaching back to take experts from the Obama administration and treating cybersecurity as a really high priority issue," she said.
Just last month, the Department of Homeland Security created the National Risk Management Center, a joint center to coordinate the defense of the country's critical infrastructure. The center brings together interagency expertise in coordination with leaders in the private sector, who own and operate roughly 90 percent of the nation's critical infrastructure.
At the beginning of the year, the Department of Energy launched the Office of Cybersecurity, Energy Security and Emergency Response. The office was given $96 million to shore up the cybersecurity and physical security of U.S. energy infrastructure.
The Department of Energy is also at the center of a series of cybersecurity exercises to test the grid's resilience and provide hands-on training to test how utility companies and the government would respond to an attack. According to E&E News, a major exercise is being planned for November, where participants will test their ability to bring the grid back online following a simultaneous cyberattack on electric, oil and natural gas infrastructure.
A decade ago, cybersecurity advocates struggled to get the attention of the federal government, let alone the resources needed to share information and shore up the grid. "Over last 8-10 years, there has certainly been a more useful, fruitful partnership," Schepis said.
It is still too soon to tell how effective the new partnerships and interagency groups will be in preventing what some worry could be a crippling attack on the grid.
Collectively, government agencies and individuals in the private sector have enough information to identify and disrupt the next major cyberattack. The problem continues to be too little coordination and information-sharing among the different stakeholders. Comparing the situation to the state of intelligence sharing before the 9/11 attacks, Nielsen acknowledged that "we still have trouble 'connecting the dots.'"