“Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday,” Dan Goodin reports for Ars Technica.
“The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011,” Goodin reports. “In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel. Over the past year, the hacking group has managed to compromise dozens of energy firms and, in a handful of cases, install backdoors in the highly sensitive networks the firms use to supply power to the grid.”
“At a minimum, attackers who have control of a company’s operational network could use it to become de facto operators of the company’s energy assets. That control includes the ability to turn on or off breakers inside the companies’ infrastructure and hijack systems that monitor the health of the grid,” Goodin reports. “That’s an unsettling scenario, but there’s a more troubling one still: the attackers might also be able to use their control of multiple grid-connected operational networks to create the kinds of failures that led to the Northeast Blackout of 2003 [in which the grid supplying electricity to 55 million people shut down].”
Read more in the full article here.
MacDailyNews Note: Goodin notes in an update:
After this Ars post went live, several security professionals with expertise in electric grids downplayed the likelihood of the operational network compromises being used to cause blackouts or take down parts of the grid. Robert Lee, the founder and CEO of Dragos Security, said the hackers would need more than the mere ability to control human machine interfaces that flip switches and open and close breakers. While he said an attack that mimicked the techniques that disrupted Ukrainian power in 2015 was possible, he said differences in the US grid would make those tactics much less effective. Lee’s Twitter thread below is well worth reading all the way through:
Lots of buzz about Symantec's Dragonfly 2.0 so I'd like to add some first impression thoughts in this thread. (1/X)
— Robert M. Lee (@RobertMLee) September 6, 2017
Sounds like a great Hollywood movie scenario that could become frighteningly real. Time to take those systems offline and unreachable by outsiders if possible.
Yes, they already alluded to this scenario and a couple others in “Sneakers”.
Back up, back up back up.
Redundancy, redundancy, redundancy.
What’s so f*cking difficult?
Not about backup, about accessing government systems and causing real infrastructure damage. (But by all means please do backup.)
The solution would seem to be for power companies to stop using Windows and actually use a secure OS..
This has been talked about for years.
Any energy company that has not isolated its critical systems from the internet is just plane boneheaded and the CEO and CIO ought to be fired on the spot, if they have not “locked the doors & raised the drawbridge.”
Somehow, I think these reports are exagerating a bit.
“Nearly all of the electric utilities in the U.S. still relied on Windows XP as recently as 2014…”
https://www.usnews.com/news/blogs/data-mine/2016/04/08/cyberattacks-surge-on-energy-companies-electric-grid
Why? Of all the insurmountable problems in the world, it would seem to me that securing the national electrical grid is a highly specific task. Certainly a whole lot easier than making North Korea act sane or world hunger. Why is this allowed to go unaddressed?
$
There are two reasons that the electrical grid is exposed to the Internet. The first is, simply, that it is a grid composed of many, many thousands of individual but interconnected generators, transformers, switches, meters, and other components spread across tens of thousands of square miles. Those bits must be networked in some fashion and it is simpler and easier to do that via an encrypted virtual private network on the public Internet than to build an entirely separate network that would still be vulnerable to physical intrusion. The second reason is that the grid relies on remote diagnostics by engineers and other experts who may not be on site when an emergency occurs.
The problem isn’t the lack of an air gap to deny Internet access, but the lack of robust encryption and other security measures to properly control access.
And of course, no doubt the US has the same capabilities for the grid in Europe/Asia as well…all done thru nefarious means, and for exactly the same purposes…