It was inevitable that someday, hackers would have the ability to exert control over the U.S. electrical grid. According to the computer security firm Symantec, someday is today.
Hacking attacks over the last several months that targeted U.S. energy companies have been able to gain "operational control" over systems, thus threatening blackouts across the U.S., says Symantec.
The hacker group known as DragonFly 2.0 was able to gain control in at least 20 places, according to the firm.
Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies' networks. And at a handful of US power firms and at least one company in Turkey – none of which Symantec will name – their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.
"There's a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage ... being able to flip the switch on power generation," says Eric Chien, a Symantec security analyst. "We're now talking about on-the-ground technical evidence this could happen in the US, and there's nothing left standing in the way except the motivation of some actor out in the world."
Never before have hackers been shown to have that level of control of American power company systems, Chien notes. The only comparable situations, he says, have been the repeated hacker attacks on the Ukrainian grid that twice caused power outages in the country in late 2015 and 2016, the first known hacker-induced blackouts.
Security firms like FireEye and Dragos have pinned those Ukrainian attacks on a hacker group known as Sandworm, believed to be based in Russia. But Symantec stopped short of blaming the more recent attacks on any country or even trying to explain the hackers' motives. Chien says the company has found no connections between Sandworm and the intrusions it has tracked. Nor has it directly connected the Dragonfly 2.0 campaign to the string of hacker intrusions at US power companies – including a Kansas nuclear facility – known as Palmetto Fusion, which unnamed officials revealed in July and later tied to Russia.
Chien does note, however, that the timing and public descriptions of the Palmetto Fusion hacking campaigns match up with its Dragonfly findings. "It's highly unlikely this is just coincidental," Chien says. But he adds that while the Palmetto Fusion intrusions included a breach of a nuclear power plant, the most serious DragonFly intrusions Symantec tracked penetrated only non-nuclear energy companies, which have less strict separations of their internet-connected IT networks and operational controls.
The first question I would want answered is, if they have that sort of control, why not exercise it? Why no blackouts or service interruptions in the U.S.?
Hacking Sony or another private business is one thing. Fooling with our electrical infrastructure is many orders of magnitude more serious. If a sovereign nation were behind such an event, it would be tantamount to a declaration of war. Unless the attacking nation was supremely confident that the hack couldn't be traced back to it, the nation would be unlikely to attempt it.
Causing a blackout in a major urban area would almost certainly result in many deaths. We know this from previous blackouts in New York City, where the 2003 power outage is estimated to have resulted in 100 deaths. This would be intolerable, and if the attack could be traced back to Russia or China, it would result in retaliation by the U.S. We're no slouches ourselves when it comes to cyber-warfare, and we could almost certainly make any country pay dearly.
But in a time of war, that kind of control over our electrical grid could wreak havoc and sow confusion and fear among the populace. In the meantime, it would behoove the government to work with industry to harden our systems to prevent that kind of catastrophe.