Recent Cybersecurity Breach Allows Hackers Direct Access to US Power Grid Controls
In 2016, spending and rendered services for cybersecurity rose to more than $80 billion, and there is no sign of the industry slowing down. The development of new technology poses new challenges for cybersecurity firms under pressure to evolve at the same pace. The recent announcement of the security breach at the credit-reporting company Equifax put approximately 143 million people at risk of identity theft. However, Equifax is but one of a string of recent cybersecurity breaches. In early September 2017, the security firm Symantec warned that a series of recent hacker attacks not only compromised energy companies in the U.S. and Europe, but also resulted in intruders' success gaining access to power grid operations enough to induce blackouts on American soil at will.
A new wave of cyber attacks by a group calling itself Dragonfly 2.0 targeted dozens of energy companies earlier this year. In more than 20 cases, Symantec says hackers successfully accessed their targets' computer networks. While Symantec did not name the companies affected by the attacks, it says that forensic analyses for a handful of U.S. companies and at least one company in Turkey revealed that hackers obtained what is known in the field as "operational access": control of the interfaces power company engineers use to send actual commands to the equipment such as circuit breakers, enabling them to stop the flow of electricity to U.S. homes and businesses.
Eric Chien, a security analyst for Symantec, stated, "[t]here's a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage...being able to flip the switch on power generation... We're now talking about on-the-ground technical evidence this could happen in the U.S., and there's nothing left standing in the way except the motivation of some actor out in the world."
Symantec's report on the new intrusion's details revealed that the company has tracked the Dragonfly 2.0 attacks back to at least December 2015, but found that they ramped up significantly in the first half of 2017, particularly in the U.S., Turkey and Switzerland. These attacks were designed to harvest credentials from victims and gain remote access to the machines they operate. So if the hackers had actually gained access to these systems why did they stop short of utilizing their access? Chien reasons that the hackers may have been seeking the option to cause an electrical disruption when it became strategically useful to do so.
Symantec claims it has assisted the power companies that experience the deepest penetrations, helping them eject the hackers from their networks. They also sent out warning to more than 100 companies who might be exposed to the Dragonfly 2.0 attacks as well as the U.S. Department of Homeland Security. Nonetheless, Chien warns any company that thinks it may have been the target of hackers to not only remove any malware its identified but also refresh their staff's credentials. Given hackers' focus on stealing passwords, even flushing malware out of a targeted network might still leave vulnerabilities if they still have employees' working logins.