The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: A cyberattack just disrupted grid operations in the U.S. But it could have been far worse.

May 6, 2019 at 7:33 a.m. EDT

THE KEY

A recently disclosed hack at an electric utility in the western United States crosses a disturbing new line.

It’s the first time a digital attack is known to have interfered with electrical grid operations in the United States. And it was due to a relatively basic hack, raising the specter of what might happen if a sophisticated bad actor chose to launch a far more powerful attack, say, with the intent of shuting off electricity for millions of people.

The disruption, which took place March 5, was caused by a denial of service incident, an Energy Department official told E&E News's Blake Sobczak, who was the first to report on the issue. That means the utility -- which serves parts of California, Utah and Wyoming though the Energy Department didn’t name it --  was basically overwhelmed with phony Web traffic.

The attack didn’t cause customer outages or affect the reliability of the grid — and there’s no evidence it was part of a coordinated attack aimed at doing so, Blake reported. It’s possible the attackers didn’t even know they were targeting an electric utility. 

But the fact that there was a disruption at all on critical infrastructure puts it in a highly concerning category. The best known successful grid attack by highly sophisticated hackers had far-reaching consequences: Hackers allegedly linked to the Russian government targeted portions of Ukraine’s energy grid with a denial of service attack in 2015 and cut off electricity for several hours to tens of thousands of people.

That kind of outage, if it took place in the U.S., could cause hundreds of millions of dollars of damage or even cost lives — for example, if hospitals were caught without a backup electricity supply.

A 2015 report by the University of Cambridge Centre for Risk Studies estimated a major grid attack in the United States could cost up to $1 trillion in the most severe circumstances.

The disruption also highlights how poorly many utilities are prepared for such an attack.

According to Blake, the attack relied on a computer bug that was widely known — and there was a software patch that fixed it. That means if the utility had updated patches on all of its systems, the whole thing could have been averted.

The Energy Department has shared very little information about the hack. Most of what’s known comes from a report that the department typically publishes after outages caused by major storms or other events that interrupt electrical supply. A report such as that may be triggered if a digital attack hit a target at the edge of a utility’s network, such as a firewall or router, that doesn’t affect core operations, industry sources told Blake.

“While a cyberattack on such equipment wouldn't disrupt the flow of electricity, it could force operators to pause or redirect certain activities at affected facilities to allow for an investigation,” he reported.

The attack should be a wake-up call about the importance of ensuring utilities are consistently and effectively protecting themselves against cyberattacks, Robert M. Lee, a former NSA hacker who founded the cybersecurity company Dragos, said during a panel discussion I moderated Thursday.

But Lee also warned against overreacting to such attacks, which he said are sure to become more prevalent in coming years. After all, he said, electricity services are quite resilient and it would be exceptionally difficult to shut off power across a large area for a long time.

“I don’t want to make light of threats poking and prodding our infrastructure,” he said. “But we also don’t want to hype up the challenge.”

PINGED, PATCHED, PWNED

PINGED: President Trump during a lengthy phone conversation Friday didn’t warn Russian President Vladimir Putin against interfering in the 2020 election, my colleagues Anne Gearan, John Wagner and Anton Troianovski reported.

That’s despite stark warnings from intelligence and Homeland Security officials that Russia probably will attempt to undermine the 2020 contest as it did in 2016.

Trump and Putin did, however, discuss the conclusion of special counsel Robert S. Mueller III’s investigation into Russian interference in the 2016 campaign — which the president described as the “Russian hoax” on Twitter.

According to Trump, Putin responded to the conclusion of the Mueller investigation by saying “something to the effect that it started off as a mountain … it ended up being a mouse.” The president added that Putin “knew there was no collusion whatsoever.”

Mueller did not find sufficient evidence to bring criminal charges against any members of the Trump campaign for assisting Russia’s 2016 election interference operation.

Trump has wavered on U.S. intelligence agencies’ conclusion that Russia interfered in the 2016 election — often saying that he believes Russia interfered but other actors might have as well (including an anonymous 400-pound hacker).

The phrase “Russian hoax” gives Trump wiggle room to cast doubt on Russian interference in 2016 without outright claiming it, Julian Sanchez, a senior fellow at the libertarian Cato Institute, said on Twitter.

PATCHED: Representatives from more than two dozen countries during a meeting in Prague on Friday agreed to a broad set of principles for how to secure 5G networks against spying and cyberattacks — including language supported by U.S. diplomats that would make it tougher to give 5G contracts to Huawei and other Chinese firms.

But it’s unclear how effective the voluntary agreement will be in actually restricting Huawei from U.S. allies’ 5G networks. The agreement comes after several European nations, including Britain, have opted to allow Huawei to build some portion of their networks — despite intense lobbying from U.S. diplomats who say the company could be a platform for Chinese spying.

Among other things, the Prague agreement urges nations to consider the “overall risk of influence on a supplier by a third country” and how bound a 5G supplier is by the rule of law. The White House praised the principles in a statement and said the United States plans to abide by them as it contracts to build its own 5G networks.

PWNED: Facebook has told U.S. officials it’s “willing to submit to greater oversight of its data-collection practices — from the launching of new services to the decisions of its top executives — to end a wide-ranging federal probe into a series of privacy abuses that came to light last year,” my colleague Tony Romm reported.

The enhanced oversight, if approved, would accompany a $3 billion to $5 billion fine over a slew of cases in which the social media giant allegedly failed to sufficiently safeguard users’ personal information.

“Under such a settlement, Facebook would have to complete a more rigorous privacy review of new products and services before launching them,” Tony reported, and would have to document to the FTC how it had evaluated the effects of data collection practices on its customers.

“Facebook also would take a more active role in policing third-party app developers,” Tony reported, including quarterly sign- offs on Facebook’s privacy practices by top executives including founder Mark Zuckerberg.

PUBLIC KEY

Cybersecurity news from the public sector:

House Democrats give Barr deadline for access to Mueller report (Ellen Nakashima)

Senators introduce bill to prevent border agency from selling personal data (The Hill)

International cops shutter two dark web sites, arrest three accused of running Wall Street Market - CyberScoop

New documents provide details on NSA relationship with Cyber Command (Fifth Domain)

PRIVATE KEY

Cybersecurity news from the private sector:

Verizon, T-Mobile, Sprint, and AT&T Hit With Class Action Lawsuit Over Selling Customers’ Location Data (Motherboard)

Hackers steal card data from 201 online campus stores from Canada and the US | ZDNet (ZDNet)

THE NEW WILD WEST

Cybersecurity news from abroad:

Security-tech companies once flocked to Myanmar. One firm’s tools were used against two journalists.   (Timothy McLaughlin)

In a first, Israel responds to Hamas hackers with an air-strike | ZDNet (ZDNet)

Security lapse exposed a Chinese smart city surveillance system – TechCrunch (TechCrunch)

Opinion: Governments are deploying spyware on killers, drug lords – and journalists (Globe and Mail)