Why US power and water companies are susceptible to cyber attacks

When the Los Angeles Department of Water and Power was hacked in 2018, it took only six hours. Early this season, an intruder lurked in a huge selection of computers linked to water systems across the US. In Portland, Oregon, burglars installed malicious computers onto a grid providing power to a chunk of the Northwest.

Two of these cases - L.A. and Portland - were tests. The water threat was real, uncovered by cyber security firm Dragos.

All three drive home a spot long known but, until recently, little appreciated: the digital security of US computer networks controlling the machines that produce and distribute water and power is woefully inadequate, a minimal priority for operators and regulators, posing a terrifying national threat.

“If we have a new world war tomorrow and also have to worry about protecting infrastructure against a cyberattack from Russia or China, then no, I don’t think we’re where we’d prefer to be,” said Andrea Carcano, co-founder of Nozomi Networks, a control system security company.

Hackers working for profit and espionage have long threatened American information systems. However in the last six months, they’ve targeted companies running operational networks just like the Colonial Pipeline fuel system, with greater persistence. They are the systems where water could be contaminated, a gas line can spring a leak or a substation can explode.

The threat 's been around for at least a decade - and fears about it for a generation - but cost and indifference posed obstacles to action.

It isn’t completely clear why ransomware hackers - those that use malicious software to block usage of a computer system until a amount of cash has been paid - have recently moved from small-scale universities, banks and local governments to energy companies, meatpacking plants and utilities. Experts suspect increased competition and bigger payouts as well as foreign government involvement. The shift is finally drawing serious focus on the problem.

The US government began taking small steps to defend cyber security in 1998 when the Clinton administration recognized 14 private sectors as critical infrastructure, including chemicals, defense, energy and financial services. This triggered regulation in finance and power. Other industries were slower to safeguard their computers, including the oil and gas sector, said Rob Lee, the founder of Dragos.

Among the reasons may be the operational and financial burden of pausing production and installing new tools.

A lot of the infrastructure running technology systems is too old for advanced cybersecurity tools. Ripping and replacing hardware is costly as are service outages. Network administrators fear doing the job piecemeal could be worse since it can increase a network’s exposure to hackers, said Nozomi’s Ms Carcano.

Although the Biden administration’s budget includes $20 billion to upgrade the country’s grid, this comes after a brief history of shoulder shrugging from federal and local authorities. Even where companies in under-regulated sectors like coal and oil have prioritised cybersecurity, they’ve been met with little support.

Take the case of 1 Gas in Tulsa, Oklahoma.

Niyo Little Thunder Pearson was overseeing cybersecurity there in January 2020 when his team was alerted to malware trying to enter its operational system -- the side that controls gas traffic across Oklahoma, Kansas and Texas.

For two days, his team was in a dogfight with the hackers who moved laterally across the network. Ultimately, Mr Pearson’s team were able to expel the intruders. When Richard Robinson at Cynalytica fed the corrupted files into his own identification program, ONE Gas learned it had been dealing with malware capable of executing ransomware, exploiting professional control systems and harvesting user credentials. At its core were digital footprints within some of the most malicious code of the last decade.

Mr Pearson tried to bring the data to the Federal Bureau of Investigation nonetheless it would only accept it on a concise disc, he said. His system couldn’t burn the info onto a CD. When he alerted the Department of Homeland Security and sent it through a secure portal, he never heard back.

Mr Robinson of Cynalytica was convinced a nation-state operator had just attacked a regional gas provider. So he gave a presentation to DHS, the Departments of Energy and Defense and the intelligence community on a conference call. He never heard back either.

“We got zero, and that was that which was really surprising,” he said. “Not a single individual reached back out to determine more in what happened to ONE Gas.”

The agencies didn’t respond to requests for comment.

Such official indifference - even hostility - hasn’t been uncommon.

The 2018 break-in to the LA water and power system is another example.

These weren’t criminals but hackers-for-hire paid to break right into the system to greatly help it improve security.

Following the initial intrusion, the city’s security team asked the hackers to assume the initial source of compromise had been fixed (it hadn’t) while trying to find a new one. They found many.

Between your end of 2018 and most of 2019, the hired hackers found out 33 compromised paths, according to a person acquainted with the test who wasn’t authorised to speak publicly.

Bloomberg News reviewed a written report made by the hackers for Mayor Eric Garcetti’s office. It described 10 vulnerabilities found during their own test, along with 23 problems researchers had discovered as soon as 2008. (Bloomberg News won’t publish information that hackers could use to attack the utility.) The individual familiar with the procedure found out that few, if any, of the 33 security gaps have been fixed because the report’s submission in September 2019.

It gets worse.

Immediately after the hackers produced the report, Mayor Garcetti terminated their contract, according to an initial legal claim filed by the hackers hired from Ardent Technology Solutions in March 2020. The business alleges the mayor fired the hackers as a “retaliatory measure” for the scathing report.

Ellen Cheng, a computer program spokeswoman, acknowledged that Ardent’s contract was terminated but said it had nothing to do with the report’s substance. She said the utility frequently partners with public agencies to boost security, including scanning for potential cyber threats.

“We want to assure our customers and stakeholders that cybersecurity is of the utmost importance to LADWP and that appropriate steps have been taken to make certain that our cybersecurity is compliant with all applicable laws and security standards,” Ms Cheng said in a statement.

Mr Garcetti’s office didn’t respond to a obtain comment.

The case of the Oregon network - the Bonneville Power Administration - is forget about encouraging.

The testing went on for years from 2014 and involved an almost shocking level of intrusion followed by some public reports. One published in 2017 admonished the agency for repeatedly failing woefully to take action.

By 2020, two-thirds of the a lot more than 100 flaws recognized by the Department of Energy and the utility’s own security team hadn’t been resolved, according to interviews with an increase of when compared to a dozen former and current Bonneville security personnel and contractors and former members of the Department of Energy cyber team, in addition to documents, some accessed via Freedom of Information Act request.

Doug Johnson, a spokesperson for Bonneville, said a team reviewed the security reports in mid-2019 and that efforts to remediate those are ongoing. The utility acknowledged that hackers could actually breach certain BPA systems in those test hacks, but Mr Johnson said “at no time were they in a position to gain access to the BPA systems that monitor or control the energy grid”.

Dragos estimated in its 2020 cybersecurity report that 90 % of its clients had “extremely limited by no visibility” of their commercial control systems. That ensures that once inside, hackers have free rein to accumulate sensitive data, investigate system configurations and opt for the right time to wage an attack.

The industry is finally focused on fighting back.

“If the criminals come after us, there should be an eye-for-an-eye, or better,” observed Tom Fanning, leader of Southern, at a conference this week. “We’ve got to be sure the criminals understand you will have consequences.”