What electric utilities can learn from the Vermont hacking scare
The erroneous Russian hacking story contained some big lessons about managing critical security information
Burlington Electric probably wasn't hacked by the Russians, and the grid was never at risk.
But when the overblown story broke last month — the result of an investigation leak and erroneous reporting by the Washington Post — it didn't surprise many people. An electric utility being hacked is a growing concern for an industry that has traditionally viewed itself more about physical assets than encrypted web pages.
Hacking attempts are becoming more common, and the rollout of new technologies onto the grid has created vulnerabilities. A new report from PA Consulting, for instance, finds smart meters "represent one of the most acute cyber attack vectors to distribution networks," and warned early adopters may be most at-risk of a cyber breach.
"It is clear that energy companies and utilities will continue to become increasingly susceptible to these cyber threats," the consulting firm concluded.
Now that some of the furor has died down around the Burlington incident, the industry is looking at the event for clues as to what worked and what did not, and how utilities can better protect themselves and their customers. Generally speaking, information sharing between the industry and the federal government worked as it should have to mitigate any threat.
In late December, the Department of Homeland Security provided electric utilities with updated information related to cybersecurity threats, alongside an analysis of Russian civilian and military intelligence hacking tools. Burlington Electric, Vermont's largest municipal utility, updated its scanning software with the new data and then ran an assessment of its system.
That's when the insanity started.
Burlington's scan turned up a laptop which had connected to an IP address the federal government said was linked to Grizzly Steppe, the name given to Russia's hacking campaign. The utility informed the feds, which launched an investigation. A widespread hack of the nation's power grid could cause enormous damage, as much as $1 trillion by some estimates, and in the hours after Burlington found malware officials at DHS and the Electricity Information Sharing and Analysis Center were in contact multiple times.
"That part of that part of the process worked really well," said Burlington Electric General Manager Neal Lunderville.
Communication between the power sector and federal government is essential to protecting the grid, and it was an area the North American Electric Reliability Corp. cited for improvement in report last year on findings turned up by a grid-attack simulation. Among the recommendations was enhancing the Electricity Information Sharing and Analysis Center to provide for real-time urgent communications.
"It was only when the information was inaccurately leaked to the Washington Post," said Lunderville, that the story spiraled.
"This was an example of information that was relevant to the industry, gathered by the intelligence community, being shared in an actionable and timely way," said Scott Aaronson, executive director for security and business continuity at Edison Electric Institute, the trade group for U.S. investor-owned utilities. "The system worked the way it's supposed to."
"This should be seen as a success story," said Brian Harrell, director of security and risk management for Navigant Consulting.
All eyes on Burlington
Harrell is also the former director of critical infrastructure protection programs at NERC, and while he says the hacking of critical infrastructure is a major concern, "we should be careful to keep this in perspective." The danger in this specific situation is that the headlines generated by the initial, wrong story, could lead to a breakdown in future communications.
"Unfortunately, this event may be seen as a reason to hesitate or pause when wanting to communicate with those on the outside," Harrell wrote in an email. "Every utility is monitoring and taking notes as to how this has played out in the media. The result will be hesitancy when reporting in the future. The question that many utility experts are asking is, how did this information get leaked to the Washington Post?"
The leak was attributed to U.S. officials, but Homeland Security said there's no reason to assume it came from their office. And a spokesman said that while its analysis is ongoing, "we currently have no information that indicates that the power grid was penetrated in this cyber incident."
DHS spokesman Scott McConnell also said "our analysis remains ongoing, and we'll decline further comment on the situation at this time as the analysis proceeds.” But he echoed others who said the utility acted as it should have. Burlington "performed immediate action to isolate the laptop and alerted federal partner authorities."
Burlington's Lunderville said "by and large our federal partners are very strong," though he acknowledged "there is always an opportunity to improve."
"We need federal partners for good intelligence and they want our help, and together we can get closer to stopping some of these cyber threats," he said.
Aaronson said he expects information sharing will continue to improve, but the leak, wherever it came from, was unhelpful.
"What we're trying to foster here is a willingness between government and industry to share information with each other, and to have that information shared in the national media, I think, does a disservice to the regime we're trying to create," Aaronson said. "Very public incidents like this have the potential to have a chilling effect."
How vulnerable is the grid?
It's been a decade since the Idaho National Laboratory's Aurora Project demonstrated how a remote attacker could damage generators. By opening and closing certain circuit breakers, hackers could push a machine's rotating parts out of alignment, damaging a power plant and taking it offline.
The utility industry has been slow to address the problem, and in 2014 DHS may have exacerbated the situation when it mistakenly responded to a Freedom of Information Act on an unrelated topic — releasing more than 800 pages related to the so-called “Aurora vulnerability,” including the location of sensitive infrastructure that could be disabled.
But the power sector is now moving as quickly as possible to tighten security, against the backdrop of a political season where hacking became a major issue. Sen. John McCain (R-AZ) has said Russia has the capability to shut down American power plants through cyber hacking efforts.
"It isn't just elections that they are hacking into. It is across the board ... including the ability to shut down power plants," McCain said on Meet the Press last week. "They can do grave danger to the United States of America."
EEI's Aaronson said he wouldn't dispute McCain's assessment, or discuss specific "threat actor's capabilities," and instead issued a reminder: "What the Russians can do, so can the U.S." He acknowledged that for "sophisticated" groups, "there are things they can do to critical infrastructure." But he also said there is a lot of redundancy built into the system.
"There isn't one company that runs the grid," he said. "There isn't a magic off-switch you can attack."
It remains unclear if the malware found on a Burlington Electric laptop was, actually, evidence of Russian hacking. And on that point, there is less communication between the industry and federal agencies.
"One thing I don't know, because federal authorities haven't shared it, is whether it's from Russia," Lunderville said. "We get intelligence from the federal agencies, we update them ... ultimately it's the feds who take all that data and sort through it. We really don't know if that communication was ultimately routed to Moscow or Debuke."
The utility has a brief statement on its website, saying the specific type of Internet traffic at issue "also has been observed elsewhere in the country and is not unique to Burlington Electric."
Wherever it came from, attacks on the utility industry are becoming more common.
In 2015, hackers attempted a denial of service attack on FirstEnergy but the attempt was quickly blocked. The situation in Vermont shows information sharing has come a long way: after FirstEnergy reported the attack, it never heard back from the federal government.
"Cyberattacks are not uncommon in our industry," FirstEnergy spokesperson Tricia Ingraham said in a statement. The company "actively monitors these attacks and we collaborate with government and industry organizations. We also remain involved in efforts to improve information sharing across these entities."
Federal government taking action
A recent report from the U.S. Department of Energy, the agency's second installment of its Quadrennial Energy Review, puts cybersecurity front and center. The analysis recommends state and federal regulators have the authority to protect the grid while also aligning power reliability with national security.
"Grid security is a national security concern — the clear and exclusive purview of the Federal Government," DOE said in the report.
Among the recommendations, the agency called for amending the Federal Power Act to ensure the DOE can develop preparation and response capabilities to guard against a wide range of threats. And the report identifies power reliability as a "growing and essential component of national security," and calls for the Federal Energy Regulatory Commission to modify or create new reliability standards to address the threat.
The report also recommends dedicating funding to publicly-owned utilities, particularly smaller organizations. "Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency," DOE warned, recommending "support grants for small utilities facing cyber, physical, and climate threats."
That could include Burlington Electric, which serves less than 20,000 customers.
"All utilities, whether larger or smaller ones, take cyber security very seriously," Lunderville said. "We have been having peer discussions for many years, and we’re always working to strengthen our cyber security posture."
But is a major hack of the grid inevitable?
"The way it doesn't become inevitable is we continue to do what we've been doing," he said.
Follow Robert Walton on Twitter