Alleged Russian Involvement in Hacking at Vermont Power Utility

January 16, 2017

There is an old proverb or curse that is often falsely attributed to ancient Chinese wisdom:  May you live in interesting times.  Cyber conflict and information warfare certainly make our present very interesting.  Back in the 1980s, if two countries were at war and one wanted to interrupt the other’s operations by cutting off their electricity, they would probably need some physical presence at their enemy’s power plants.  This might be an in person saboteur, or an airstrike.  In contrast, a large region of Ukraine was plunged into darkness in December of 2015 when malware enabled attackers to shut down part of the country’s power grid.  The blackout lasted three hours before the electricity provider was able to switch the systems back to manual control.

At the turn of the New Year, the Washington Post wrote itself into a controversy when it reported that Russian hackers had infiltrated our country’s electricity grid through a Vermont utility company.  A retraction followed.  The truth was more complicated.  Earlier that week, the FBI and DHS had released a report about “Grizzly Steppe,” a cyber operation attributed to Russia and named after the Russian Grasslands.  The initial claim was that code related to Grizzly Steppe was found on a laptop belonging to a Burlington Electric employee, but this was not fully accurate either.  The malware on the employee’s computer was recently reported as actually being the Neutrino malware package, which is not thought to be related to Grizzly Steppe.  Further, the laptop was not connected to the grid.  When the employee checked his Yahoo e-mail account, suspicious traffic triggered an alert. 

This questionable report comes at a bad time.  U.S. intelligence officials increasingly point their fingers at Russian hackers for interfering with the U.S. election.  In the midst of all of this, the Washington Post published a flawed article crying Cyber Wolf.

The cyber threats to industrial control systems such as industrial relays and programmable logic controllers that are deployed in utilities and in transportation are significant.  Industrial control systems are very vulnerable to cyber attacks since they are also susceptible to being controlled by outside actors deploying malware.  Stuxnet was a cyber weapon that had physically destroyed hundreds of Iran’s nuclear centrifuges by the middle of 2010.  In late 2014, a cyberattack on a German steel mill caused massive damage to the mill’s blast furnace.  Hackers used Black Energy malware to shut down part of Ukraine’s power grid in late 2015.  This is not a question of “If,” but “when,” and unfortunately, the more effective our security is against these threats, the less real these threats will seem to everyone else, especially when all the public sees are false or questionable reports.

The basics remain: The Burlington Electric employee’s laptop was infected by malware.  If that employee had used a USB drive to transfer any information from that laptop to a computer connected to the grid, the malware could have spread.  Cybersecurity is only as strong as its weakest link.  If the Burlington Electric employee’s laptop had been infected by malware that could enable international espionage, we could be teetering on the edge of global cyberwar. The line between generic criminal hacking and international incidents is increasingly blurry, even as technology improves to make attribution more reliable.  The danger of this report from the Washington Post is that people may underestimate the actual risk of a cyberattack to our critical infrastructure.

This isn’t about partisan politics, Democrat or Republican, blue states or red states.  The dangers are real.  We cannot let our legislators ignore cyber risks because one report was not accurate this time.