A new wave of cyberattacks should be a wake-up call to U.S. electricity generators and grid operators who believe their control systems are safe from hackers, data security experts say.
Most of the time, power generators' industrial control systems aren't connected to unsecured public networks like the Internet. That may not be the case when operators need to install manufacturers' software upgrades or run diagnostics.
A group of Russian hackers known as "Dragonfly," recently exposed by cybersecurity company Symantec Corp., shows that the sliver of time that control systems are connected to outside networks is more than enough to embed malicious software to spy on power grids, Mark Thibodeaux, a Houston lawyer with Sutherland Asbill & Brennan who specializes in data security, said in an interview.
Symantec found the hackers used remote-access malware to infect three industrial control system equipment manufacturers. Those companies were vendors to the real targets, including U.S. and European electricity providers, which inadvertently installed the malware when they downloaded the manufacturers' software upgrades.
"These infections," Symantec wrote on its website this week, "not only gave the attackers a beachhead in the targeted organizations' networks, but also gave them the means to mount sabotage operations against infected (industrial control system) computers."
Defense levels against cybersecurity threats vary widely from company to company, but studies and other indications show power companies broadly "aren't as prepared as they ought to be," Thibodeaux said.
Thibodeaux said a security measure known as an "air gap," a method of keeping control systems disconnected from other networks, has proved effective, but has led some companies to think their systems are largely safe from cyberattacks.
"When they want to run diagnostics, they connect, and that's the opportunity that hackers exploit," Thibodeaux said. "They've gotten deeper into the systems, and if the allegations are true, it's more worrying because they've probably been there for a while conducting espionage and mapping out the lay of the land."
After a broad cyberattack is exposed, companies typically should do an in-house or third-party security audit to make sure systems aren't infected, he said.
A recent study by cyber-security software firm ThreatTrack Security shows even though energy companies have faced more attacks than the financial sector, only a third have invested in advanced malware detection technology. Two in five U.S. energy companies say advanced cyberattacks have gotten past their defenses, according to that study.
Thibodeaux said the "Dragonfly" cyberattacks may be the broadest politically motivated threat since Iranian hackers' alleged "denial of service" attacks that flooded banks with traffic in an effort to shut down certain systems.
Symantec alleged the "Dragonfly" hackers have the markings of an effort supported by a foreign government. From a power generator's perspective, that may make them much harder to deal with than ordinary hackers, said Robert Lemus, another Houston lawyer for Sutherland who has specialized in data security and privacy. It may require meeting with law enforcement agencies, he said.
"State actors are out to learn as much as they can about your infrastructure. It's a different kind of war," Lemus said. "If you have a hacker in the States, that's one thing. But when you have one outside of U.S. jurisdiction, it's always more difficult, especially if it's a state-sponsored entity."
©2014 the Houston Chronicle