NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

Ukraine sees Russian hand in cyber attacks on power grid

KIEV (Reuters) – Hackers used a Russian-based internet provider and made phone calls from inside Russia as part of a coordinated cyber attack on Ukraine’s power grid in December, Ukraine’s energy ministry said on Friday.

The incident was widely seen as the first known power outage caused by a cyber attack, and has prompted fears both within Ukraine and outside that other critical infrastructure could be vulnerable.

The ministry, saying it had completed an investigation into the incident, did not accuse the Russian government directly of involvement in the attack, which knocked out electricity supplies to tens of thousands of customers in central and western Ukraine and prompted Kiev to review its cyber defenses.

But the findings chime with the testimony of the U.S. intelligence chief to Congress this week, which named cyber attacks, including those targeting Washington’s interests in Ukraine, as the biggest threat to U.S. national security.

Relations between Kiev and Moscow soured after Russia annexed the Crimean peninsula in March 2014 and pro-Russian separatist violence erupted in Ukraine.

Hackers targeted three power distribution companies in December’s attack, and then flooded those companies’ call centers with fake calls to prevent genuine customers reporting the outage.

“According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork … belonging to an (internet service) provider in the Russian Federation,” the ministry said in a statement.

Deputy Energy Minister Oleksander Svetelyk told Reuters hackers had prepared the attacks at least six months in advance, adding that his ministry had ordered tighter security procedures.

“The attack on our systems took at least six months to prepare – we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack,” Svetelyk said by phone.

Researchers at Trend Micro, one of the world’s biggest security software firms, said this week that the software used to infect the Ukrainian utilities has also been found in the networks of a large Ukrainian mining company and a rail company.

The researchers said one possible explanation was that it was an attempt to destabilize Ukraine as a whole. It was also possible these were test probes to determine vulnerabilities that could be exploited later, they said.

(Writing by Matthias Williams; additional reporting by Eric Auchard; Editing by Ruth Pitchford)

U.S. utilities worry about cyber cover after Ukraine grid attack

(Reuters) – U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month.

The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data.

A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.

Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.

“People in the insurance industry never did a great job clarifying the scope of coverage,” said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.

Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms, said Ben Beeson, a partner with broker Lockton Companies.

That has led to some unease among U.S. utilities.

“When you get these kind of headline-grabbing cyber incidents, there is obviously a flurry of interest,” said Dawn Simmons, an executive with Associated Energy and Gas Insurance Services, or AEGIS, a U.S. mutual insurer that provides coverage to its 300 or so members.

Getting a policy that includes cyber property damage is not cheap.

Sciemus Cyber Ltd, a specialty insurer at the Lloyd’s of London insurance market, charges energy utilities roughly $100,000 for $10 million in data breach insurance. The price balloons to as much as seven times that rate to add coverage for attacks that cause physical damage, said Sciemus Chief Executive Rick Welsh.

INDUSTRY WARNINGS

Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.

In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute. Ukraine’s state security service blamed Russia for the attack, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as Sandworm Team.

Utilities are now trying to determine if they have insurance to cover these kinds of attacks, and if not, whether they need it, said Patrick Miller, founder of the Energy Sector Security Consortium, an industry group that shares information on cyber threats.

American Electric Power Company Inc, Duke Energy Corp, Nextera Energy Inc and PG&E Corp are among publicly-traded utility companies that have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.

Representatives with AEP, Duke and PG&E declined to disclose the limits of their insurance. Officials with Nextera could not be reached for comment.

The potential costs of an attack in the United States are huge. Last year Lloyd’s and the University of Cambridge released a 65-page study estimating that simultaneous malware attacks on 50 generators in the Northeastern United States could cut power to as many as 93 million people, resulting in at least $243 billion in economic damage and $21 billion to $71 billion in insurance claims.

The study called such a scenario improbable but “technologically possible.”

There are precedents, including the 2010 ‘Stuxnet’ attack that damaged centrifuges at an Iranian uranium enrichment facility and the 2012 ‘Shamoon’ campaign that crippled business operations at Saudi Aramco and RasGas by wiping drives on tens of thousands of PCs.

In late 2014, the German government reported that hackers had damaged an unnamed steel mill, the first attack that damaged industrial equipment. Details remain a mystery.

AMBIGUITY OVER COVERAGE

“It’s getting a little competitive just to get a carrier quoting your policy,” said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance. Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.

American International Group Inc, for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.

“There are companies that we have walked away from providing coverage to because we had concerns about their controls,” said AIG executive Tracie Grella.

AIG and AEGIS declined to discuss pricing of policies. It seems likely they will find coverage more in demand after the Ukraine attack.

“A lot more companies will be asked by their stakeholders internally: Do we have coverage for this type of thing?” said Robert Wice, an executive with Beazley Plc, which offers cyber insurance. “Whether they actually start to buy more or not will depend on pricing.”

(Reporting by Jim Finkle; Additional reporting by Rory Carroll; Editing by Bill Rigby)

Hackers may have wider access to Ukrainian industrial facilities

KIEV (Reuters) – Hackers were able to attack four sections of Ukraine’s power grid with malware late last year because of basic security lapses and they could take down other industrial facilities at any time, a consultant to government investigators said.

Three power cuts reported in separate areas of western and central Ukraine in late December were the first known electrical outages caused by cyber attacks, causing consternation among businesses and officials around the world.

The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy company had been affected by a lesser attack in October, but declined to name it.

He also said a similar type of malware had been identified by the Ukrainian anti-virus software company Zillya! where he works as far back as July, making it impossible to know how many other systems were at risk.

“This is the scariest thing – we’re living on a powder keg. We don’t know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected,” he said.

Sych, whose firm is advising the State Security Service SBU and a commission set up by the energy ministry, said power distributors had ignored their own security rules by allowing critical computers to be hooked up to the Internet when they should have been kept within an internal network.

This so-called “air gap” separates computer systems from any outside Internet connections accessible to hackers.

“A possible objective was to bring down some branches (of the Ukrainian energy system) and create a ‘domino effect’ to collapse the entire system of Ukraine or a significant part,” Sych said.

Ukraine has also been targeted in other cyber attacks, which included hacking into the system of Ukraine’s biggest airport and TV news channels.

Security services and the military blamed the attacks on Russia, an allegation dismissed by the Kremlin as evidence of Ukraine’s tendency to accuse Russia of “all mortal sins”.

Russia annexed Crimea from Ukraine in 2014 and has supported separatist rebels in east of the former Soviet republic, arguing that Kiev’s Western-backed government, elected after the Moscow-backed president fled widespread protests, was illegitimate.

Sych, who said he could not reveal all the details of the probe, said there was no conclusive evidence that the attacks originated in Russia. One of the emails was sent from the server of a German university, another from the United States, he said.

INSIDER

International cyber-security researchers who have studied the attacks believe the attackers broke into networks by sending targeted emails designed to trick utility insiders to click on Excel documents that were poisoned with malware used to gain control inside the networks.

Sych agreed, saying:

“We understand that this couldn’t have happened without an insider. To carry out this kind of attack you need to know what kind of operating system and SCADA (supervisory control and data acquisition) are used and what software controls the industrial facility,” he said.

SCADA software is widely used to control industrial systems worldwide.

“The attackers must have known what software was installed … to test (the malware) on it. Clearly preliminary investigations were carried out and this was easy to do with this kind of insider information.”

He said the hackers had sent the e-mails in question to workers at the affected power distribution companies with infected Word or Excel files that were meant to look like official correspondence from the energy ministry.

They contained topics that would have been recognizable to the workers and were not sent out en masse but targeted certain individuals instead. One of the emails was about regional electricity production levels, he said.

“It was all very simple and stupid,” Sych said, adding that the hackers totally wiped the data of some of the computers in one of the firms.

Details of the impact of the attacks have been sketchy, but one is reported to have affected 80,000 customers for two hours. The three named companies declined to comment on Sych’s remarks.

“All experts agree this sort of attack on electric utilities or other critical infrastructure was bound to happen because engineering-wise, physics-wise it is technically possible to do,” said Kenneth Geers, a Kiev-based national security analyst who worked for U.S. intelligence agencies for 20 years until 2013.

All it takes is political will or opportunism to try something like this, he said.

Ukrainian Deputy Energy Minister Oleksander Svetelyk has also accused the companies of lapses, saying on Tuesday there had been a “a lot of errors”. He added that U.S. cyber experts would come to Kiev later this week to help with the investigation.

(Additional reporting by Maria Tsvetkova in Moscow and Eric Auchard in Brussels; Writing by Matthias Williams; Editing by Philippa Fletcher)

Ukraine to review cyber defenses after airport targeted from Russia

KIEV (Reuters) – Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Irina Kustovska, a spokeswoman for Ukraine’s infrastructure ministry, which oversees airports, railways and ports.

Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

“The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

A spokeswoman for the airport said Ukrainian authorities were investigating whether the malware was connected to a malicious software platform known as “BlackEnergy”, which has been linked to other recent cyber attacks on Ukraine. There are some signs that the attacks are linked, she said.

“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said in a statement.

In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.

A U.S. cyber intelligence firm in January traced the attack back to a Moscow-backed group known as Sandworm.

The Dec. 23 outage at Western Ukraine’s Prykarpattyaoblenergo cut power to 80,000 customers for about six hours, according to a report from a U.S. energy industry security group.

Ukraine’s SBU state security service has blamed Russia, but the energy ministry said it would hold off on attribution until after it completes a formal probe.

(Editing by Matthias Williams and Gareth Jones)

U.S. helping Ukraine investigate December power grid hack

WASHINGTON (Reuters) – The U.S. Department of Homeland Security said on Tuesday it was helping Ukraine investigate an apparent attack last month on the country’s power grid that caused a blackout for 80,000 customers.

Experts have widely described the Dec. 23 incident at western Ukraine’s Prykarpattyaoblenergo utility as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service has blamed Russia for the incident, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as “Sandworm.”

In an advisory, DHS said they had linked the blackout to malicious code detected in 2014 within industrial control systems used to operate U.S. critical infrastructure. There was no known successful disruption to the U.S. grid, however.

DHS said the “BlackEnergy Malware” appears to have infected Ukraine’s systems with a spear phishing attack via a corrupted Microsoft Word attachment.

The DHS bulletin from the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the first public comment about the Ukraine incident.

A report released by Washington-based SANS Inc over the weekend concluded hackers likely caused Ukraine’s six-hour outage by remotely switching breakers in a way that cut power, after installing malware that prevented technicians from detecting the intrusion. The attackers are also believed to have spammed the Ukraine utility’s customer-service center with phone calls in order to prevent real customers from communicating about their downed power.

DHS and the FBI did not immediately respond to requests for additional comment.

(Reporting by Dustin Volz and Jim Finkle; Editing by Doina Chiacu and Andrew Hay)

Hackers Access Power Grid, N.Y. Dam; Might Have Accessed Government Talks

Hackers gained access to the United States power grid, including detailed drawings that could have been used to cut power to millions of people, according to a new Associated Press report.

The report, published Monday, indicated that there have been roughly 12 times in the past 10 years when foreign hackers accessed the networks controlling lights across the United States.

That includes one instance where hackers, believed to be from Iran, had swiped passwords and detailed sketches of dozens of power plants, invaluable tools if one planned to cut off the power. Cybersecurity experts told the Associated Press the breach (which affected energy company Calpine, which operates 83 power plants) dates to at least August 2013 and could be ongoing.

The Associated Press reported that hackers accessed passwords that could have been used to access Calpine’s networks remotely, along with highly detailed drawings of 71 energy-related facilities across the country. That could allow skilled hackers to specifically target certain plants.

But targeting a plant and successfully shutting off the power are two different things.

The Associated Press report noted the power grid is designed to keep the lights on when utility lines or equipment fail. To cause a widespread blackout, a hacker would have to be exceptionally skilled, bypassing not only a company’s security measures but also creating specialized code that disrupts the interactions of the company’s equipment. Still, experts told the AP that it remains possible for a sufficiently skilled and motivated hacker to send a large swath of the country into blackout, and enough intrusions have occurred that a foreign hacker can likely “strike at will.”

The Associated Press report was published the same day the Wall Street Journal unveiled that Iranian hackers accessed the controls of a dam about 20 miles away from New York City in 2013.

In another breach, tech company Juniper Networks announced last Thursday that it discovered some “unauthorized code” in its software that could have allowed skilled hackers to improperly access some devices and decrypt secure communications. CNN reported the FBI is investigating the hack because it fears the code might have been used to spy on government correspondence.

Because government use of Juniper products is so widespread, one U.S. official told CNN the hack was like “stealing a master key to get into any government building.” CNN reported a foreign government is believed to be behind the hack, but it still is not clear who is responsible.

Juniper said it released a patch that corrects the issue. The company said it wasn’t aware of “any malicious exploitation” of the security loophole, but noted there likely wasn’t a way to reliably detect if a device had been compromised because hackers could have easily erased the evidence.

Ted Koppel States that the U.S. is Unprepared for an Attack on the Power Grid

Veteran journalist, Ted Koppel, is getting the word out to the American public that the U.S. does not have a plan for a cyberattack against the power grid.

In his latest book “Lights Out,” Koppel writes on what would happen if another country took out the nation’s power grid via hacking, and how it would be difficult for unprepared American residents to survive.

“It’s frightening,” Koppel told CBS News. “I mean, it is frightening enough that my wife and I decided we were going to buy enough freeze-dried food for all of our kids and their kids.”

Koppel went on to say that the former Chief Scientists of the NSA told him that Russia and China were already in the power grid. And soon, Iran and terrorist groups like ISIS may be able to hack their way into the power grid’s system that is connected to the Internet.

“I’m not sure why it hasn’t happened yet,” cyber security consultant Larry Pesce told CBS. “It’s definitely not for lack of capability on various parts, be it us or the enemy. I think it comes down to timing. I think we need to make the right people mad at the right time.”

According to Koppel, he has talked with every former secretary of Homeland Security and they all said the same thing: there is no plan for a cyberattack against the power grid. However, Homeland Security replied to CBS saying that there is a plan, but they did not give details.

A former Defense Department official, Paul Stockton, told CBS that Koppel is wrong. While there is a plan in place, Stockton did admit that there could be improvement in security measures both through the government and the power companies.

“The government is building plans very, very quickly now to help manage the consequences of an attack on the grid,” Stockton said.

Stockton did add that Koppel was smart for stocking up on food and water for him and his family.

Average citizens need to be able to take care of their own families and their own neighborhoods and their own communities, and not assume that Uncle Sam is somehow going to magically bring in the cavalry and rescue them,” he said.

ISIS Trying to Hack American Power Grid

On Wednesday American energy firms held a meeting about national security concerns where U.S. law officials announced that ISIS has been trying to hack the power grid.

“ISIL is beginning to perpetrate cyber attacks,” Caitlin Durkovich, assistant secretary for infrastructure protection at the Department of Homeland Security, told company executives.

Investigators didn’t reveal any details or provide any evidence to support the claims, but they did say that all attempts have been unsuccessful. They added that the terrorists lacked the right hacking technology to invade the computer systems and shut off or blow up the machines.

“Strong intent. Thankfully, low capability,” said John Riggi, a section chief at the FBI’s cyber division. “But the concern is that they’ll buy that capability.”

With hacking software available on the black markets, the FBI is now worried that ISIS and other terrorist organizations could get their hands on the right hacking software to attack power companies and grids. This would disrupt power to several U.S. homes and businesses. And the threat isn’t just ISIS; the FBI is also worried about domestic terrorists and hate groups getting their hands on the hacking technology.

U.S. officials also stated that the greatest threat to our power grid is other countries. Last year, they found malware on industrial control systems at energy companies that were traced back to the Russian government.

However, an organization taking down the entire nationwide grid – or even a section of the grid – is extremely unlikely as each grid isn’t uniform and connected like most people believe. The random patterns of the grid keep the machines and software from communicating and coordinating. It would take a large and expensive team of highly trained technical specialists to understand the layout and then hack it. Even if the team was successful, in a worst case scenario they would take out power for a small section of a major city. An entirely different cyberattack would be needed to shut down a different grid at a different plant.

The last infamous attack on a power grid was in 2013 when a sniper shot at a California energy grid substation. The attack was only for 19 minutes, but caused $15 million in damage. The Department of Homeland Security recently released a report that the attacker was likely an inside job. However, no other details were given.

Nationwide Blackout Possible Using Only Nine Power Substations

A new report from the Federal Energy Regulatory Commission shows that as little as nine terrorists could take out the United States’ electrical grid for as much as 18 months.

The report says that on a hot summer day, a coordinated attack on just nine of the nation’s 55,000 electric-transmission substations would cripple the system to the point it would cause a nationwide blackout.

“This would be an event of unprecedented proportions,” Ross Baldick, professor of electrical engineering at the University of Texas told the Wall Street Journal.

The article in the WSJ comes a day after a report from a New Jersey utility oversight committee showed a serious lack of security at key electrical substations.  The report also cited the April 2013 attack on a Pacific Gas & Electric transmission station that knocked out 17 transformers with shots from sniper rifles.

The memo from the FERC says the California attack shows “it does not require sophistication to do significant damage to the U.S. grid.”