US power grid vulnerable to foreign hacks

http://apnews.myway.com/article/20151221/us--infrastructure-power_grid-cyberattacks-29dbb3fbf9.html

Dec 21, 10:29 AM (ET)
By GARANCE BURKE and JONATHAN FAHEY

Security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States power grid.

Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title "Mission Critical." The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes.

Wallace was astonished. But this breach, The Associated Press has found, was not unique.

About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter.

The public almost never learns the details about these types of attacks — they're rarer but also more intricate and potentially dangerous than data theft. Information about the government's response to these hacks is often protected and sometimes classified; many are never even reported to the government. [Should we learn the details of the government's response? This would give info to the hackers that would make them more effective.]

These intrusions have not caused the kind of cascading blackouts that are feared by the intelligence community. But so many attackers have stowed away in the largely investor-owned systems that run the U.S. electric grid that experts say they likely have the capability to strike at will.

•••••

In 2012 and 2013, in well-publicized attacks, Russian hackers successfully sent and received encrypted commands to U.S. public utilities and power generators; some private firms concluded this was an effort to position interlopers to act in the event of a political crisis. And the Department of Homeland Security announced about a year ago that a separate hacking campaign, believed by some private firms to have Russian origins, had injected software with malware that allowed the attackers to spy on U.S. energy companies.

•••••

Even the Islamic State group is trying to hack American power companies, a top Homeland Security official told industry executives in October.

•••••

As Deputy Secretary Alejandro Mayorkas acknowledged in an interview, however, "we are not where we need to be" on cybersecurity.

That's partly because the grid is largely privately owned and has entire sections that fall outside federal regulation, which experts argue leaves the industry poorly defended against a growing universe of hackers seeking to access its networks.

As Deputy Energy Secretary Elizabeth Sherwood Randall said in a speech earlier this year, "If we don't protect the energy sector, we are putting every other sector of the economy in peril."

•••••

Calpine spokesman Brett Kerr said the company's information was stolen from a contractor that does business with Calpine. He said the stolen diagrams and passwords were old — some diagrams dated to 2002 — and presented no threat, though some outside experts disagree.

•••••

Months later, Wallace got the alert: From Internet Protocol addresses in Tehran, the hackers had deployed TinyZbot, a Trojan horse-style of software that the attackers used to gain backdoor access to their targets, log their keystrokes and take screen shots of their information. The hacking group, he would find, included members in the Netherlands, Canada, and the United Kingdom.

The more he followed their trail, the more nervous Wallace got. According to Cylance, the intruders had launched digital offensives that netted information about Pakistan International Airlines, the Mexican oil giant Pemex, the Israel Institute of Technology and Navy Marine Corps Intranet, a legacy network of the U.S. military. None of the four responded to AP's request for comment.

•••••

Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks.

•••••

Whether there was any connection between the Iranian government and the individual hackers who Wallace traced — with the usernames parviz, Alireza, Kaj, Salman Ghazikhani and Bahman Mohebbi — is unclear.

•••••

according to a previously reported study by the Federal Energy Regulatory Commission, a coordinated attack on just nine critical power stations could cause a coast-to-coast blackout that could last months, far longer than the one that plunged the Northeast into darkness in 2003.

•••••

Because it would take such expertise to plunge a city or region into darkness, some say threats to the grid are overstated — in particular, by those who get paid to help companies protect their networks. Still, even those who said the risks of cyber threats can be exaggerated agree it is possible for cyberattackers to cause a large-scale blackout.

•••••

Authorities say they take the threat seriously. In response to a FOIA request, Homeland Security said it had helped more than 100 energy and chemical companies improve their cyber defenses, and held both classified and unclassified briefings in June 2013 and late 2014 on threats to companies associated with power grid operations.

•••••