When the Los Angeles Department of Water and Energy was ousted in 2018, it took only six hours. Earlier this year, hundreds of computers connected to water systems across the United States were looted. In Portland, Oregon, robbers installed malicious computers on a grid that supplied electricity to a section of the Northwest.
Two of those cases, Los Angeles and Portland, were experiments. The threat of threat was real, discovered by cyber security company Dragos.
All three are driving home to a point that has been known for a long time, but until recently was underestimated. The digital security of US computer networks that control water և energy և distribution machines is unfortunately inadequate, a low priority for operators and regulators, which poses a terrible national threat. ,
“If we have a new world war tomorrow and have to worry about protecting our infrastructure from cyber-attacks from Russia or China, then no, I do not think we are where we want to be,” said Andrea Carcano, co-chair of Nozomi Networks, co-founder of security management.
Profiteering hackers have long threatened US information systems. But over the past six months, they have increasingly targeted companies that operate operational networks, such as the Colonial Pipeline Fuel System. These are the systems where water can be polluted, the pipeline can leak or the substation can explode.
The threat has existed for at least a decade, the associated fears for generations, but spending and indifference have hindered action.
It is not clear why ransomware hackers, who use malware to block access to the computer system, have recently been transferred from small universities, banks, local governments to energy companies, meat packing stations. և Utilities. Experts suspect increased competition, more payments, as well as foreign government involvement. The shift finally draws serious attention to the problem.
The U.S. government began taking small steps to protect cybersecurity in 1998 when the Clinton administration recognized 14 private sectors as important infrastructure, including chemicals, defense, energy, and financial services. This stimulated the regulation of finance and government. Other industries have been slower to protect their computers, including the oil and gas sector, says Rob Lee, founder of Dragos.
One of the reasons is the operational and financial burden of stopping production and installing new tools.
Most infrastructure technology systems are too old for sophisticated cyber security tools. Hardware և Repair և Replacement is as costly as service failures. Network administrators fear that partially getting the job done could be worse, as it could increase the network’s impact on hackers, says Nozomi’s Carcano.
Although the Biden administration’s budget includes $ 20 billion to improve the country’s network, it comes after the shoulder-to-shoulder story of the federal government. Even when companies such as oil and gas regulators prefer cybersecurity, they have little support.
Take the case of ONE Gas Inc. in Tulsa, Oklahoma.
New Little Thunder Pearson oversaw cyber security there in January 2020 when his team was warned of a malicious program trying to gain access to its operating system. The party that controls the flow of natural gas in Oklahoma, Kansas and Texas.
For two days, his team was in a dogfight with hackers moving along the net. In the end, Pearson’s team managed to evict the invaders.
When Richard Robinson fed corrupt files to Cynalytica in his authentication program, ONE Gas learned that it was dealing with malware capable of running ransomware, operating industrial management systems, and collecting user credentials. It was based on digital footprints found in some of the most malicious codes of the last decade.
Pearson tried to get the data to the Federal Bureau of Investigation, but it is accepted only on a CD. Its system cannot burn data to CD. When he called the Department of Homeland Security and sent it through the secure portal, he received no further response.
Cynalytica’s Robinson was convinced that the state-owned operator had simply attacked a regional natural gas supplier. So he spoke at the conference to DHS, the Department of Energy, the Department of Defense, the intelligence community. He also never listened.
“We got zero, it was really amazing,” he said. “No individual has been able to find out what happened to ONE Gas.”
Agencies did not respond to requests for comment.
Such official indifference, even hostility, was not uncommon.
The intrusion of the 2018 water supply and sewerage system is another example.
These were not criminals, but hired hackers paid to break into the system, thus improving security.
After the initial intrusion, the city security team asked the hackers to assume that the original source of the compromise was fixed (this was not the case) while catching the new one. They found many.
From the end of 2018 until most of 2019, hired hackers discovered 33 compromising ways, according to a person familiar with the test, who was not authorized to speak publicly. Bloomberg News has reviewed a report prepared by hackers for the office of Mayor Eric Garcetti.
It described the 10 vulnerabilities identified in their own test, as well as the 23 issues identified by researchers since 2008. (Bloomberg News will not publish information that hackers could use to attack the utility). A person familiar with the operation found out that there are few if any, 33 of the security gaps have been eliminated since the report was submitted in September 2019.
It gets worse.
Immediately after preparing the hackers’ report, Mayor Garcetti terminated their contract, in accordance with the preliminary legal requirement submitted in 2020. March by hackers hired by Ardent Technology Solutions. report:
Utility spokeswoman Ellen Cheng acknowledged that Ardent’s contract had been terminated, but said it had nothing to do with the report. He said the utility often works with government agencies to improve security, including the search for potential cyber threats.
“We want to reassure our customers, stakeholders that cybersecurity is crucial to LADWP, and that appropriate steps have been taken to bring all of our existing cybersecurity laws and safety standards into line,” Cheng said in a statement.
Garcetti’s office did not respond to a request for comment.
The case of the Oregon network, the Bonneville Power Administration, is no longer encouraging.
Testing has been going on for years since 2014, with an almost shocking level of intrusion followed by a couple of public reports. One published in 2017 warned the agency not to take action repeatedly.
By 2020, more than two-thirds of the more than 100 deficiencies identified by the Department of Energy’s own utility security team had not been resolved, according to interviews with more than a dozen former Bonneville security staff, contractors and former members. The cyber team of the Department of Energy, in addition to the documents, was made available to some through a request for a Freedom of Information Act.
Bonneville spokesman Doug Johnson said the team reviewed the safety reports in mid-2019 and that efforts to restore them were ongoing. The utility acknowledged that hackers had been able to hack certain BPA systems in those experimental hackers, but Onson said that “they have never been able to access any of the BPA systems that control or monitor the grid.”
Dragos assesses its cyber security in 2020 The report says that 90% of its new customers are “extremely limited, invisible” in their industrial management systems.
The industry is finally focused on counterattacking.
“If the bad guys are coming after us, you have to have an eye, or better yet,” said South Fan CEO Tom Fanning at a conference this week. “We have to make sure that the perpetrators understand that there will be consequences.”