When the Los Angeles Water and Power Authority was hacked in 2018, it only took 6 hours. At the beginning of this year, an intruder was lurking among hundreds of computers related to the water supply system in the United States. In Portland, Oregon, thieves installed malicious computers on the power grid that supplies the Northwest Territories.
Two of these cases—Los Angeles and Portland—are tests. The water threat is real and discovered by Dragos, a network security company.
These three people all put forward a point that has been known for a long time but has been little known until recently: the digital security of the American computer network that controls the machines that produce and distribute water and electricity is seriously inadequate, and operators and regulators have higher priorities. Low, posing a terrible national threat.
“If we have a new world war tomorrow and have to worry about protecting our infrastructure from cyber attacks from Russia or China, then no, I don’t think we will be what we want,” co-founder Andrea Carcano said. Founder of Nozomi Networks, a control system security company.
Hackers who work for profit and espionage have long threatened the U.S. information system. But in the past six months, they have targeted companies that run operational networks like colonial pipeline fuel systems with greater staying power. In these systems, water may be contaminated, gas pipes may leak or substations may explode.
This threat has existed for at least a decade-people’s fear of it has lasted for a generation-but cost and indifference have created obstacles to action.
It is not entirely clear why ransomware hackers-those who use malware to block access to computer systems until they pay a sum of money-have recently moved from small universities, banks, and local governments to energy companies, meat processing plants, and utilities. Experts doubt intensified competition, increased spending, and the involvement of foreign governments. This change finally caused serious attention to this issue.
In 1998, the Clinton administration identified 14 private sectors as critical infrastructure, including chemicals, defense, energy, and financial services. The US government began to take small steps to protect cybersecurity. This triggered the supervision of finance and power. Rob Lee, founder of Dragos, said that other industries are slower in protecting computers, including the oil and gas industry.
One reason is the operational and financial burden of suspending production and installing new tools.
Many of the infrastructures for running technical systems are too old for complex cyber security tools. Ripping and replacing hardware is as costly as service interruption. Nozomi’s Carcano said that network administrators are worried that doing work piecemeal may be worse because it increases the network’s exposure to hackers.
Although the Biden administration’s budget included $20 billion to upgrade the national grid, this happened after a history of disdain for it by federal and local authorities. Even if companies in poorly regulated industries such as oil and gas prioritize cybersecurity, they have little support.
Take ONE Gas Inc. of Tulsa, Oklahoma as an example.
Niyo Little Thunder Pearson was responsible for overseeing cybersecurity there in January 2020, when his team received an alert for malware trying to enter its operating system, which controls Oklahoma, Kansas, and Texas The flow of natural gas in Sri Lanka.
For two days, his team had a melee with hackers moving laterally across the network. In the end, Pearson’s team successfully expelled the intruder.
When Richard Robinson of Cynalytica entered the corrupted file into his own identification program, ONE Gas learned that it was dealing with malware that could execute ransomware, utilize industrial control systems, and collect user credentials. At its core are digital footprints found in some of the most malicious code of the past decade.
Pearson tried to submit the data to the FBI, but it only accepts data in the form of CDs, he said. His system cannot burn data to CD. When he notified the Department of Homeland Security and sent it through the security portal, he never received a response.
Robinson of Cynalytica is convinced that a nation-state operator has just attacked a regional gas supplier. Therefore, he made an introduction to the Department of Homeland Security, the Department of Energy and the Department of Defense, and the intelligence community on the conference call. He didn’t reply either.
“We got zero, which is really surprising,” he said. “No one came back to learn more about what happened at ONE Gas.”
These agencies did not respond to requests for comment.
This kind of official indifference—even hostility—is not uncommon.
Breaking into the Los Angeles hydropower system in 2018 is another example.
They are not criminals, but hire hackers, who break into the system to help improve security.
After the initial intrusion, the city’s security team asked the hackers to assume that the original intrusion source had been repaired when looking for a new source of intrusion (not actually). They found a lot.
According to a person familiar with the matter who was not authorized to speak publicly, from the end of 2018 to most of 2019, employed hackers discovered 33 compromised paths. Bloomberg News reviewed a report produced by hackers for the office of Mayor Eric Garcetti.
It describes 10 vulnerabilities found in their own tests and 23 problems discovered by researchers as early as 2008. (Bloomberg News will not release information that hackers can use to attack the utility.) Those familiar with the operation have found that very few have, since the report was submitted in September 2019, any of the 33 security vulnerabilities have been fixed.
It gets worse.
According to a preliminary legal claim filed in March 2020 by a hacker hired by Ardent Technology Solutions, the mayor Garcetti terminated their contract shortly after the hacker produced the report. The company called the mayor’s dismissal of the hacker as a “retaliation measure” in response to harsh criticism. report.
Alan Zheng, a spokesman for the utility company, admitted that Ardent’s contract was terminated, but said that this has nothing to do with the substance of the report. She said the utility company often cooperates with public agencies to improve security, including scanning for potential cyber threats.
“We want to assure our customers and stakeholders that network security is of the utmost importance to LADWP, and appropriate measures have been taken to ensure that our network security complies with all applicable laws and security standards,” Cheng said in a statement.
Garcetti’s office did not respond to a request for comment.
The case of the Oregon State Grid—Bonneville Power Authority—is no longer encouraging.
The test lasted for several years starting in 2014, involving almost alarming levels of intrusion, followed by a pair of public reports. An article published in 2017 warned the agency for repeated failure to take action.
According to interviews with more than a dozen former and current Bonneville security personnel and contractors and former members, by 2020, two-thirds of the more than 100 defects discovered by the Department of Energy and the utility company’s own security teams have not been resolved. In addition to documents, the DOE network team has requested access to some documents through the Freedom of Information Act.
Doug Johnson, a spokesperson for Bonneville, said a team reviewed safety reports in mid-2019 and is working to correct them. The utility company admitted that hackers were able to break certain BPA systems in these test hackers, but Johnson said, “They cannot access any BPA system that monitors or controls the power grid at any time.”
Dragos estimated in its 2020 Cybersecurity Report that 90% of its new customers are “extremely limited, even invisible” within its industrial control system. This means that once in, hackers are free to collect sensitive data, investigate system configurations, and choose the right time to launch an attack.
The industry is finally focused on fighting back.
“If the bad guys come after us, we have to pay an eye for an eye, or better,” Southern Company CEO Tom Fanning said at a meeting this week. “We must make sure that the bad guys understand that there will be consequences.”