Threats grow to energy’s networks
Industry moving at ‘snail’s pace’ on cybersecurity
New evidence that Russia orchestrated cyberattacks against U.S. energy systems could pressure the federal government and U.S. companies to shore up the defenses of weakly protected computer networks controlling vital sectors of the nation’s economy.
The Kremlin’s campaign, which authorities said began at least two years ago, and other recent cyberattacks underscore just how vulnerable power plants, pipelines, chemical and manufacturing facilities are to foreign adversaries looking to manipulate critical U.S. infrastructure. But if industrial cyberattacks remain shrouded in secrecy — as they have for decades — security experts fear the lack of public outcry will cause lawmakers and corporate boards to move too slowly to prevent a costly strike on U.S. soil.
“We’re going at a snail’s pace,” said Mike McConnell, former director of
the National Security Agency and former U.S. Director of National Intelligence. “The problem is becoming more severe, and the ones who can see what’s going on are being forced to say more and more to get the nation to react in a serious way.”
In a rare glimpse of an international cyber arms race, federal agencies and security firms recently disclosed that cyberattacks aimed at U.S. energy, nuclear, water, aviation and manufacturing facilities have risen sharply since 2016, amid attempts by a highly skilled and well-funded hacking group to secure a foothold in those networks. The FBI and the Department of Homeland Security last month blamed the attacks on the Russian government.
The hacking group, known as Dragonfly, is one that security experts have tracked for years. In private client reports shared with the Houston Chronicle, iDefense, the cyberthreat intelligence division of Accenture Security, said the group’s intrusions into U.S. industrial networks were almost certainly successful because of security lapses.
The attackers, targeting computer operators, administrators and engineers with access to industrial control networks, used phishing, malware and other hacking tools to break in, figure out how to manipulate vital controls, and test detection capabilities and responses of companies and federal authorities. It appears the hackers only probed the networks, according to iDefense, but the nature of the intrusions suggested the group is preparing for a day when it could launch an attack aimed at disrupting operations or damaging facilities.
With its large concentration of refineries, chemical plants, manufacturers and pipeline operators, the threat is more pronounced in Houston than almost anywhere else in the nation. But cybersecurity experts said even after years of increased awareness among corporate boards of online threats, the vast majority of energy and industrial companies lack technologies and personnel that would allow them to constantly monitor control system networks. That leaves companies blind to industrial attacks.
“We’re not staying caught up,” said Emmett Moore, chief executive of Houston cybersecurity firm Red Trident. “The adversaries are going way faster than we are. That’s why we’re seeing more incidents.”
The recent energy downturn forced many oil companies to put cybersecurity projects on the back burner for a few years, cybersecurity specialists said. But there’s no longer any doubt, they added, that foreign adversaries such as Russia, Iran and North Korea intend to plant themselves in U.S. computer and industrial networks.
Michael Tadeo, a spokesman for the American Petroleum Institute, a trade group, said the oil and gas industry has invested heavily in cybersecurity measures and promoted guidelines similar to the ones followed by the electric utilities and financial companies. The industry, he added, is also working closely with the government to investigate and reduce threats to industrial control systems.
“Promoting cybersecurity is a top priority for the oil and natural gas industry that will promote the safety and resiliency of our operations, our employees and our nation,” Tadeo said in a statement.
Corporate America got a taste of how a major industrial cyberattack could affect profits last summer, when U.S. pharmaceutical giant Merck & Co. and delivery services company FedEx Corp. confirmed cyberattacks compromised their computer systems — and cost them hundreds of millions of dollars. They were among several unintended targets from a global cyber assault, dubbed “NotPetya,” which was originally aimed at companies in Ukraine and spread around the world.
U.S. officials blamed the attacks on the Russian military, and intelligence officials estimate the NotPetya attacks cost companies $11 billion in economic losses worldwide.
Last year, cybersecurity experts learned of two new families of malware targeting industrial control systems, in addition to three others discovered in prior years. They also identified two major attacks aimed at disrupting industrial operations and five separate hacker groups conducting them — far more than previously believed, cybersecurity firm Dragos said in a recent report.
Last year, Dragos estimated computer controls at industrial facilities, including oil and businesses, get infected by malware at least 3,000 times a year. But the public rarely hears about them.
In another rare disclosure, four U.S. natural gas pipeline operators — Energy Transfer Partners, Boardwalk Pipeline Partners, Eastern Shore Natural Gas Co. and ONEOK — said last week cyberattacks shut down electronic data systems used in setting transaction terms with energy customers. The attacks appear to have been financially motivated, and don’t bear the markings of a nationstate attack on U.S. critical infrastructure, cybersecurity experts said. Pipeline operations were not affected.
In a time of growing trade tensions, cyberattacks could play an increasingly prominent role in the economic rivalry between the United States, China and Russia, analysts said. Attacks that disrupt U.S. plants and cost companies billions – but that don’t cross the threshold of an act of war – could become a new method used by world powers to slow their rivals’ economic activity, experts said.
But to thwart such attacks, the U.S. government will have to change its approach to cybersecurity, said McConnell, the retired NSA director. The American public never hears about the vast majority of cyberattacks against U.S. industrial systems that control the operations of refineries, pipelines power plants, chemical plants and other factories. Such incidents are classified by the FBI and other agencies and kept secret by U.S. companies unless a breach involves the theft of personal identifying information, such as Social Security numbers.
In some cases, even companies are kept in the dark by the government about attacks on their systems, McConnell said. The lack of disclosure keeps the pressure off federal officials and companies to make changes needed to better protect computer networks and industrial controls.
He added that he fears it may take a catastrophic event that costs billions of dollars, and even lives, to gain the public attention needed to propel the government to action.
“At some point,” McConnell said, “we’re going to have to change the rules.”