Russia has been making the news in recent years for bold incursions into the utility systems of other nations, including a much-publicized hack of the United States utility grid in 2018. The U.S. government claimed that this cyber attack on the power grid involved more than just espionage and probing; the Russian hackers allegedly left behind the virtual tools needed to later disrupt the grid by shutting off vital systems.
This time, the US is on the offensive. A recent New York Times article cited anonymous current and former Trump officials in reporting that the country’s intelligence agencies have been doing much the same thing in recent months. Both countries have been regularly probing each other’s grid defenses since at least 2012, but this is the first known occurrence of the Americans planting malicious code in the Russian systems. The code is believed to be able to compromise the Russian power grid in the event of a conflict between the two countries.
The move is in keeping with a more aggressive US Cyber Command national security approach that began with a 2018 executive order that gives government agencies more freedom to conduct their own offensive operations without presidential approval. Russia appears to have been a central consideration in this policy shift, given that the country has shown little hesitation or fear in testing US defenses and deploying internet-based psychological operations within their rival’s borders.
Cyber attacks on power grids and modern cyber warfare
Thus far, these reports of cyber attacks on power grids have not been backed up by any concrete action. While Russia has been directly responsible for (or at least suspected in) a number of utility grid attacks around the world, most notably the December 2015 attack on Ukraine, the country has not shut off the power in the United States. Likewise, the United States has been known to deploy active cyber measures to disrupt enemy utilities and industry (such as the 2015 Stuxnet attack on Iran), but has not done so to Russia as of yet.
There is some concern that Russia may try to make active use of their cyber capabilities during the 2020 election, however. Given the country’s propensity to meddle in US elections using disinformation and hacking, some observers fear that Russian hackers will try to initiate selective blackouts in key areas with cyber attacks on the power grid as voters head to the polls.
While American retaliation in kind might seem to be a natural development, the planting of these bits of malware in Russian power grids also contributes to the legitimacy of such attacks in an emerging area of warfare that does not yet have clear rules and protocols.
Do these cyber attacks on power grids represent an escalation of cyber war conditions? The Russian response from spokesman Dmitry Peskov was certainly heated, describing the act exactly that way. On the American front, President Trump went in the other direction and condemned the New York Times for what he feels is “virtual treason” for reporting the story. There is also some legitimate basis for questioning the purpose of these anonymous disclosures given the Trump administration’s seeming inclinations toward Russian interests and willingness to share sensitive cyber information with the country. It makes little sense to announce covert capabilities such as this unless one wants the enemy to begin scouring their networks for them. At least two of the administration officials that served as sources for the articles believed the president had not been briefed on the action.
Cyber attacks on an electricity grid are generally seen as out-of-bounds during peacetime. Principles of responsible cyber behavior drafted by both the UN and the G7 specifically condemn cyber-based infrastructure attacks. Planting malware in infrastructure without triggering it appears to be running right up to the border of what is currently considered acceptable behavior by the international community, but not crossing it. Causing actual damage would definitively cross that line, and would have a significant possibility of sparking actual war.
Protecting the grid
A natural question springs to mind when cyber attacks on power grids are mentioned. Can’t the grids just be air-gapped from the internet, as they were in the days before there was one? And why aren’t they?
Public utilities security researcher Theodore Kury of the University of Florida explored this issue in a 2018 article. To summarize, one of the obstacles is the competing interest in limiting wasteful government spending. If infrastructure replacements and changes translate into rate hikes, state and federal regulations require the utility companies to disclose in detail what they are spending the money on. When it comes to cybersecurity, disclosing in detail is often not possible without compromising the security measures.
The actions of “non-malicious insiders” are the greatest problem, however. Employees clicking on malware links and spoofed sites were responsible for opening the door to most of the documented cyber attacks on power grids. In some cases, the Russian hackers compromised actual sites that employees were known to frequent on their work computers – a practice known as a “watering hole” attack.
Modern energy industry systems have a number of legitimate needs for internet accessibility, such that simply air-gapping everything that touches the grid operation is probably not going to be possible. There is some separation of internet-connected servers from offline functions, but an ongoing problem appears to be systems that were implemented two or three decades ago with greater levels of internet integration that are now very expensive to replace.
Even with computer systems in place that are properly firewalled from making changes to the critical infrastructure, there remains the risk of “non-malicious insiders” at both the power plants and their various vendors toting in and hooking up personal equipment to the control systems for the sake of convenience.
As is the case with all types of organizations both large and small, it would appear that defeating cyber attacks on the power grid ultimately comes down to across-the-board employee training as well as resiliency measures to limit or prevent downtime.