custom ad
BusinessDecember 21, 2015

SAN JOSE, Calif. -- Security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States' power grid...

By GARANCE BURKE and JONATHAN FAHEY ~ Associated Press
System control center operator Ryan Cox sits at his computer workstation May 20 at an AEP Transmission Operations Center in New Albany, Ohio. Many of the substations and equipment that move power across the U.S. are decrepit and never were built with network security in mind. (John Minchillo ~ Associated Press)
System control center operator Ryan Cox sits at his computer workstation May 20 at an AEP Transmission Operations Center in New Albany, Ohio. Many of the substations and equipment that move power across the U.S. are decrepit and never were built with network security in mind. (John Minchillo ~ Associated Press)

SAN JOSE, Calif. -- Security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States' power grid.

Digital clues pointed to Iranian hackers. And Wallace found they already had taken passwords and engineering drawings of dozens of power plants, at least one with the title "Mission Critical." The drawings were so detailed, experts said skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes.

Wallace was astonished. But this breach, The Associated Press has found, was not unique.

About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke on condition of anonymity due to the sensitive nature of the subject matter.

The public almost never learns the details about these types of attacks. They're rarer but more intricate and potentially dangerous than data theft. Information about the government's response to these hacks often is protected and sometimes classified; many never are reported to the government.

These intrusions have not caused the kind of cascading blackouts feared by the intelligence community. But so many attackers have stowed away in the systems that run the U.S. electric grid, experts said they likely have the capability to strike at will.

And that's what worries Wallace and other cybersecurity experts most.

"If the geopolitical situation changes and Iran wants to target these facilities, if they have this kind of information, it will make it a lot easier," said Robert M. Lee, a former U.S. Air Force cyberwarfare operations officer.

In 2012 and 2013, in well-publicized attacks, Russian hackers successfully sent and received encrypted commands to U.S. public utilities and power generators; some private firms concluded this was an effort to position interlopers to act in the event of a political crisis.

And the Department of Homeland Security announced about a year ago a separate hacking campaign, believed by some private firms to have Russian origins, had injected software with malware that allowed the attackers to spy on U.S. energy companies.

"You want to be stealth," said Lillian Ablon, a cybersecurity expert at the RAND Corporation. "That's the ultimate power, because when you need to do something you are already in place."

The hackers have gained access to an aging, outdated power system. Many of the substations and equipment that move power across the U.S. are decrepit and never were built with network security in mind; hooking them up to the Internet over the last decade has given hackers new backdoors in. Distant wind farms, home solar panels, smart meters and other networked devices must be monitored and controlled remotely, which opens up the broader system to fresh points of attack.

Hundreds of contractors sell software and equipment to energy companies, and attackers have used those outside companies as a way to get inside networks tied to the grid.

Attributing attacks is tricky. Neither U.S. officials nor cybersecurity experts would or could say whether the Islamic Republic of Iran was involved in the attack Wallace discovered involving Calpine Corp., a power producer with 82 plants operating in 18 states and Canada.

Receive Daily Headlines FREESign up today!

Private firms have alleged other recent hacks of networks and machinery tied to the U.S. power grid were carried out by teams from within Russia and China, some with governmental support.

Even the Islamic State group is trying to hack American power companies, a top Homeland Security official told industry executives in October.

The attack involving Calpine is particularly disturbing because the cyberspies grabbed so much, according to previously unreported documents and interviews.

Cybersecurity experts said the breach began at least as far back as August 2013.

Calpine spokesman Brett Kerr said the company's information was stolen from a contractor that does business with Calpine. He said the stolen diagrams and passwords were old -- some diagrams dated to 2002 -- and presented no threat, though some outside experts disagree.

Kerr would not say whether the configuration of the power plants' operations networks -- also valuable information -- remained the same as when the intrusion occurred, or whether it was possible the attackers still had a foothold.

The hackers stole user names and passwords that could be used to connect remotely to Calpine's networks, which were being maintained by a data security company. Even if some of the information was outdated, experts say skilled hackers could have found a way to update the passwords and slip past firewalls to get into the operations network. Eventually, they said, the intruders could have shut down generating stations, fouled communications networks and possibly caused a blackout near the plants.

They also took detailed engineering drawings of networks and power stations from New York to California -- 71 in all -- showing the precise location of devices that communicate with gas turbines, boilers and other crucial equipment attackers would need to hack specific plants.

Cylance researchers said the intruders stored their stolen goods on seven unencrypted FTP servers requiring no authentication to access details about Calpine's plants. Jumbled in the folders was code that could be used to spread malware to other companies without being traced back to the attackers' computers, as well as handcrafted software designed to mask that the Internet Protocol addresses they were using were in Iran.

Calpine didn't know its information had been compromised until it was informed by Cylance, Kerr said.

Iranian U.N. Mission spokesman Hamid Babaei did not return calls or address questions emailed by AP.

Cylance notified the FBI, which warned the U.S. energy sector in an unclassified bulletin in December 2014 a group using Iran-based IP addresses had targeted the industry.

Homeland Security spokesman S.Y. Lee said his agency is coordinating efforts to strengthen grid cybersecurity nationwide and to raise awareness about evolving threats to the electric sector through industry trainings and risk assessments. As Deputy Secretary Alejandro Mayorkas acknowledged in an interview, however, "we are not where we need to be" on cybersecurity.

That's partly because the grid largely is privately owned and has entire sections that fall outside federal regulation, which experts argue leaves the sector poorly defended against a growing universe of hackers seeking to access its networks.

As Deputy Energy Secretary Elizabeth Sherwood Randall said in a speech earlier this year, "If we don't protect the energy sector, we are putting every other sector of the economy in peril."

Story Tags
Advertisement

Connect with the Southeast Missourian Newsroom:

For corrections to this story or other insights for the editor, click here. To submit a letter to the editor, click here. To learn about the Southeast Missourian’s AI Policy, click here.

Advertisement
Receive Daily Headlines FREESign up today!