Cipher Brief Expert View: Cyberattacks on Power Plants a Warning

Rhea Siers
Former Deputy Associate Director for Policy, National Security Agency

Reports of intrusions into industrial control systems (ICS) broke late last week – this time in several U.S. power plants, including the Wolf Creek nuclear facility in Kansas.  The alleged perpetrator? Russia, leading many to compare these incidents to the successful and damaging Russian attacks against the electrical grid in Ukraine. 

So how concerned should we be? These intrusions are not necessarily new – but they are worrisome. Repeated cyber intrusions have targeted U.S. ICS – the technology that keeps utility operations running.  In 2014, DHS warned about the presence of Black Energy, a piece of malware, in U.S. systems – the same malware that caused disruption to electric power in the Ukraine. At that time, Black Energy was believed connected to the Sandworm Gang, an alleged Russian surrogate.

Do the latest intrusions represent an escalation in threat to the U.S. electric grid or to the stability of nuclear power plants? DHS and the FBI provided urgent warnings to these facilities.  But, while these warnings generate headlines, we need to know more to truly assess the nature of the threat.  There are several key points to consider:

  • DHS and the FBI apparently sought to use this as yet another lesson for the industry.  The hackers allegedly used phishing emails, such as fake resumes, sent to plant engineers and containing malicious code.  This is obviously not a new technique and once again points to the human element as the greatest cyber vulnerability.  According to DHS officials, operational systems were not implicated and intrusions were limited to administrative networks.  The intruders wanted to map out and/or analyze these control systems.  We’ve seen adversaries hunting for intelligence in this manner before.  Any cyber intelligence service worth its salt is in the business of discovering their adversary’s vulnerabilities and information with which it can improve the efficacy of its malware.
  • What is the separation between nuclear critical controls and other Internet connected systems at these facilities?  The nuclear energy industry claims that the computer systems operating their reactors are isolated from the Internet.  Though it didn’t happen in this instance, we have seen that air gapped systems (a la Stuxnet) can indeed be penetrated.
  • The nuclear energy industry has established its own Information Sharing and Analysis Center (ISAC) for cybersecurity.  There have been reports that a separate cyber event, code named “Nuclear 17” was discussed among its membership – but further details are not available and it is believed not to be connected to the Wolf Creek incidents.  However, this unpublicized incident adds to the concerns and appearance of vulnerability. 
  • This attack represents an adversary probing for vulnerabilities and preparing to use them, including advancing malware, if they deem it advantageous. We ignore this at our own risk. In public at least, definitive evidence attributing the activity to Russia has not been presented. This does not mean that the Russians are innocent here; simply that information may be classified or protected by the U.S. government. 
  • Why is the Ukraine connection or example important?  Because it demonstrates the type of cyber warfare that Russia and its surrogates would wage.  The Russians have tested their cyber capabilities with an emphasis on those that disrupt civilian life and government operations from Georgia to Estonia to Ukraine.  Many experts believe that Ukraine has been a cyberwar test bed for the Russians.  The fact that the Russians or other adversaries may want to direct this same disruption as part of their contingency planning against the U.S. should not surprise us; but it should necessitate increased preparation and defense of civilian and government networks.   
  • Our preparation obviously must encompass sound cybersecurity defenses but it must also include credible cyber deterrence.  Protecting our critical infrastructure is a call we hear often; setting the standards and demanding the resources to underpin a solid defense remains a work in progress.  We have yet to find the right individual strategies of cyber deterrence not only for Russia but also against other cyber adversaries.  It is critical that a sound defense and speedy recovery from attacks also be a key component of cyber deterrence. 

These latest intrusions do not signal that the sky is falling now.  But they do demonstrate that an agile cyber defense and deterrence must be a priority for this country in both the public and private sectors.  

The Author is Rhea Siers

Rhea D. Siers is a Senior Expert in Cybersecurity for the Risk Assistance Network and Exchange (RANE) and the Scholar in Residence at the GWU Center for Cyber and Homeland Security. She is co-author of "Cyberwarfare: Understanding the Law, Policy and Technology" (Thomson Reuters).  She worked in the Intelligence Community for 30 years, and served as the Deputy Associate Director for Policy at the National Security Agency.

Learn more about The Cipher's Network here