In 2018, the hacking of the Los Angeles Department of Water and Power took only six hours. Early this year, an invader lurked in hundreds of computers tied to water utilities across the U.S. Burglars in Portland, Oregon, planted malicious computers on a system that supplies power to a large portion of the Northwest.
L.A. and Portland were two of the situations that were put to the test. Dragos, a cybersecurity group, discovered that the water threat was real, Bloomberg reported.
All three emphasize a long-known but little-appreciated fact: the digital security of computer networks that control the machines producing and distributing water and power in the U.S. is woefully inadequate, a low priority for operators and regulators, and poses a terrifying national threat.
“If we have a new world war tomorrow and have to worry about protecting infrastructure against a cyberattack from Russia or China, then no, I don’t think we’re where we’d like to be,” said Andrea Carcano, co-founder of Nozomi Networks, a control system security company.
Hackers intent on making money or espionage have long posed a threat to American computer systems. However, in the previous six months, they’ve been more persistent in targeting organizations that run operational networks, such as the Colonial Pipeline gasoline system. These are the systems that can poison water, cause a gas line to leak, or cause a substation to explode.
The threat has been around for at least a decade—and anxieties about it have been around for a generation—but the response has been hampered by cost and indifference.
It’s unclear why ransomware hackers have recently migrated from small-scale universities, banks, and municipal governments to energy businesses, meatpacking plants, and utilities. Increased competition and larger payments, as well as foreign government involvement, are experts’ concerned contributing factors. The shift is finally bringing the issue to the forefront.
“If we have a new world war tomorrow and have to worry about protecting infrastructure against a cyberattack from Russia or China, then no, I don’t think we’re where we’d like to be.”Andrea Carcano, co-founder of Nozomi Networks
Costly, risky upgrades
The U.S. government had begun taking limited steps to preserve cybersecurity when the Clinton administration recognized 14 private industries as critical infrastructure in 1998, including chemicals, defense, energy, and financial services. This led to regulation in the finance and power sector. According to Rob Lee, the founder of Dragos, other businesses, such as the oil and gas industry, were slower to protect their systems.
One of the reasons is the operational and financial burden of halting production and installing new tools.
Much of the technological infrastructure is too old to support advanced cybersecurity solutions. Hardware ripping and replacement, as well as service disruptions, are both costly. Network managers are concerned that executing the job piecemeal will make things worse because it will enhance a network’s vulnerability to hackers, according to Nozomi’s Carcano.
Although the Biden administration’s budget includes $20 billion to improve the country’s grid, federal and local officials have previously shrugged off the issue. Even in under-regulated industries like oil and gas, companies who prioritize cybersecurity have received little help.
One typical case is ONE Gas Inc. in Tulsa, Oklahoma.
Little Thunder Niyo Pearson was in charge of cybersecurity at the time, and his team was alerted to malware attempting to access the company’s operational system, which handles natural gas flow throughout Oklahoma, Kansas, and Texas.
For two days, his team was engaged in a firefight with hackers who moved laterally across the network. Pearson’s squad was eventually able to remove the intruders.
When Richard Robinson of Cynalytica fed the damaged files into his own identification tool, ONE Gas discovered it was dealing with malware capable of executing ransomware, manipulating industrial control systems, and gathering user passwords. At the heart of the investigation were digital footprints uncovered in some of the most harmful code in the last decade.
Pearson attempted to deliver the material to the FBI, but it would only accept it on a compact disc. His computer was unable to burn the material to a CD. He had alerted the Department of Homeland Security, and sent it through a secure portal, but never heard back.
Cynalytica’s Robinson was certain that a nation-state operator had just launched an attack on a regional natural gas provider. As a result, he gave a conference call presentation to DHS, the Departments of Energy and Defense, and the intelligence community. He, too, never received a response.
“We got zero, and that was what was really surprising,” he said. “Not a single individual reached back out to find out more about what happened to ONE Gas.”
The agencies didn’t respond to requests for comment.
Such official indifference is not rare, though.
Los Angeles water and power system
Another example is the break-in to the Los Angeles water and electricity infrastructure in 2018.
These weren’t criminals; rather, they were hired hackers who were paid to break into the system in order to assist it improve security.
The city’s security team advised the hackers to pretend the original source of compromise had been addressed (it hadn’t) while looking for a new one after the initial incursion. They found many.
According to a source involved with the test who wasn’t authorized to talk publicly, the hired hackers detected 33 compromised pathways between the end of 2018 and the beginning of 2019. Bloomberg News looked into a report that the hackers put up for Mayor Eric Garcetti’s office.
It detailed ten flaws uncovered during their own testing, as well as 23 issues that other researchers had uncovered as early as 2008. Since the report’s submission in September 2019, the individual acquainted with the operation learned that few, if any, of the 33 security gaps have been repaired.
And it is even worse.
According to a first legal claim made by the hackers recruited from Ardent Technology Solutions in March 2020, Garcetti terminated their contract soon after the study was completed. According to the corporation, the mayor dismissed the hackers as a “retaliatory measure” in response to the damning report.
Ellen Cheng, a utility spokeswoman said that Ardent’s contract was canceled, but it had nothing to do with the contents of the study. She stated that the utility routinely collaborates with government authorities to strengthen security, which includes checking for cyber threats.
“We want to assure our customers and stakeholders that cybersecurity is of the utmost importance to LADWP and that appropriate steps have been taken to ensure that our cybersecurity is compliant with all applicable laws and security standards,” Cheng said in a statement.
The office of Garcetti did not reply to a request for comment.
The Bonneville Power Administration, which runs the Oregon network, isn’t any better.
The testing began in 2014 and lasted for years, with an almost astonishing level of intrusion followed by two public reports. One from 2017 chastised the agency for failing to act on numerous occasions.
According to interviews with more than a dozen former and current Bonneville security personnel and contractors, as well as documents obtained through a Freedom of Information Act request, two-thirds of the more than 100 flaws identified by the Department of Energy and the utility’s own security team had not been resolved by 2020.
Doug Johnson, Bonneville spokesperson, did not reply to requests for comment on whether the vulnerabilities, some of which were disclosed in documents reviewed by Bloomberg in 2020, have been remedied.
90 percent of Dragos’ new customers had “extremely limited to no visibility” within their industrial control systems, according to the company’s 2020 cybersecurity study. That means that hackers have complete freedom to collect sensitive information once inside, analyze system setups, and plan an attack at their leisure.
The industry has finally decided to strongly fight back.
“If the bad guys come after us, there has to be an eye-for-an-eye, or better,” observed Tom Fanning, chief executive officer of Southern Co., at a conference this week. “We’ve got to make sure the bad guys understand there will be consequences.”