Cyber Security

The threat of a Russian cyberattack drives energy companies to collaborate with the US government.

The threat of a Russian cyberattack drives energy companies to collaborate with the US government.
Written by ga_dahmani
The threat of a Russian cyberattack drives energy companies to collaborate with the US government.
Cables lie at a desk entry point inside the control room at the Greater Des Moines Energy Center in Pleasant Hill, Iowa, on March 29.  (KC McGinnis for The Washington Post)
Cables lie at a desk entry point inside the control room at the Greater Des Moines Energy Center in Pleasant Hill, Iowa, on March 29. (KC McGinnis for The Washington Post)

The Ukraine war has put them on high alert

DES MOINES — In February, as Russian troops massed on the Ukraine border, executives from a major energy company here worked with US energy and homeland security officials.

Berkshire Hathaway Energy officials were among the small group that drafted the guidelines, which emphasized the importance of quickly sharing information about cyberattacks between industry and government.

With President Biden warning last month of evolving intelligence that Russia is exploring potential cyberattacks against critical American industries, companies like Berkshire Hathaway Energy and the US government are on high alert. After years of what critics saw as hot air, cybersecurity collaboration between the federal government and some critical industries has taken root, officials and industry leaders say, and could be tested when Russian government hackers investigate the defenses of American power plants. banks and telecommunications networks.

Biden Warns US Businesses to Prepare Against Russian Cyber ​​Attacks

“Collaboration between the government and the private sector has seen exponential improvement in recent years,” said Bill Fehrman, president and chief executive officer of Berkshire Hathaway Energy (BHE), which provides electricity generated by wind, solar, natural gas and Coal. to 12 million customers in the United States, Canada and Great Britain. “The main benefit,” he said, “is the more efficient transfer of information from the front line, the businesses, to the government, and getting useful information from the government in a timely manner.”

In particular, he said, the declassification of government information “has gone from months to in some cases hours.”

BHE is so big — one of the largest power companies in North America by number of customers — that if its systems were disrupted by a Russian cyberattack, officials say, the impact on American lives would be substantial. At the same time, they say, practices such as those adopted by BHE, whose chief executive chairs the power sector group that coordinates with the federal government, can serve as a model for the industry.

As an icy wind whipped through farm fields an hour northwest of Des Moines, the heat from a 10,000-horsepower engine and the smell of oil filled a compressor room. The engine, chugging so loud that workers wear earplugs, drives pistons that compress natural gas. The compressor station in Ogden is a stop along the 13,000-mile-long Northern Natural Gas pipeline, which is part of BHE and is lined with similar stations every 60 miles or so. Compressed gas is fed from station to station on a relay basis, serving homes, hospitals and power plants from Bakersfield, Texas, to Michigan’s Upper Peninsula.

Russian government hackers penetrated US commercial power and nuclear power networks.

There has never been a cyber attack on any industrial control system within BHE and its 11 subsidiaries. That is due to the strict security measures imposed over the last eight years, said the director of security, Michael Ball. No operational network is connected to the Internet, and third-party vendors coming in to perform maintenance follow strict rules, including a ban on connecting any external hardware to the system.

But even if its operational technology (OT) or industrial control systems are not connected to the Internet, the company still has to ensure that the traffic flowing within its systems is not contaminated by malware.

In a campaign launched by the White House a year ago to boost cyber defenses in critical sectors, BHE deployed sensor software on its OT networks to search for malicious activity and vulnerabilities. The software he chose, developed by a company called Dragos, detects suspicious traffic from nation-state actors. It also anonymizes the data and makes it available to analysts at the National Security Agency, the Department of Energy, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

“We have confirmed that foreign states are active in their targeting of US energy industrial control systems,” said Robert M. Lee, CEO of Dragos, whose software allows the government to send queries to companies to see if they have detected the presence of certain adversaries

At the end of the first 100-day campaign, which focused on electric companies, nearly 60 percent of electric customers in the United States were covered by companies that had or committed to having commercial cyber threat sensors in place. their OT networks, said Fehrman, who coordinated the effort across the industry.

Work continued with the natural gas sector and in January an effort began for the water sector.

“If the power goes out, or if the oil and gas goes out, or if the clean water goes out, that really affects American lives,” said Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technology. “Collaboration between companies and with the government, the deployment of commercial sensors, the deeper information exchange has been an important contribution to the resilience of the sectors,” she said.

Although Biden’s warning last month was based on intelligence collected by the US government, the sensors were useful for additional information, US officials said.

Five years ago, Russian government hackers penetrated the OT systems of some US power companies, but the intrusions were not immediately detected. Some companies took months to realize they had been infiltrated. The sensors should reduce that time dramatically, US and company officials said.

Last year, Russian criminals carried out a ransomware attack on Colonial Pipeline, entangling the company’s administrative computer network. Fearing malware spreading to the OT system, the company shut down its fuel pipeline for five days, prompting panic buying at gas stations on the East Coast and raising concerns that Russia could target other critical companies. .

New cyber emergency regulations for pipelines draw mixed reviews

The abundance of targets in US industry prompted CISA in February to call on companies to strengthen their cyber defenses in a campaign the agency called “Shields Up.”

On a recent day, a senior threat intelligence analyst at BHE’s global security operations center opened a dashboard on a large screen on a wall, displaying some 3,000 Russian “indicators of compromise” or IP addresses and other digital clues that they had been linked to cyberattacks on Ukrainian government systems since January. IOCs, as they are called, come from DHS, the Canadian Center for Cyber ​​Security, a government agency, and the Department of Energy, as well as an information-sharing collective of industry and private threat intelligence companies.

In years past, companies could get this kind of data, but by the time it reached them, “it’s very likely that I already knew about it,” said BHE’s Ball. “Now it’s reversed, and we’re seeing things faster, more things that we haven’t heard of yet.”

And, more importantly, company executives say, the quality of some of that information has improved.

“We’ve been getting ‘actionable intelligence,’ extremely useful feedback that we can implement,” Fehrman said. That’s intelligence gained through the US government’s penetration of overseas adversaries’ systems and enhanced with more information that, for example, tells companies what threat is really significant, what techniques they’re using hackers what machines they are targeting, sometimes down to the make and model. – and what defensive actions should be taken as a result.

An important milestone in facilitating some of Ukraine’s crisis-driven cooperation was the Congressional mandate for CISA to establish a 24/7 hub for the real-time exchange of threat information that includes personnel from key industry sectors, as well as such as the FBI, DHS, NSA, and the Departments of Energy and Treasury. The result was the launch last summer of what CISA director Jen Easterly called the Joint Cyber ​​Defense Collaborative.

The JCDC has “created a beachhead,” said Tom Fanning, chief executive of energy giant Southern and a member of the Solarium Cyberspace Commission, which He recommended the formation of the cooperative. “As we mature the process, it will get better and better.”

A major theme of the JCDC’s clearinghouse is the Department of Energy’s Energy Threat Analysis Center, created in January to enable businesses and government to jointly analyze threats and develop countermeasures.

It will also send that information to JCDC. “If we’re seeing a threat to an industrial energy control system, we certainly want to make sure the information reaches other sectors like water and chemical, [which] they have similar systems,” said Puesh Kumar, director of the department’s Office of Cyber ​​Security, Energy Security and Emergency Response.

In February, the White House put CISA Executive Director Brandon Wales in charge of an effort to ensure the government can handle a cyberattack by the Russians, including any resulting physical fallout in the public or private sectors.

Biden executive order aims to strengthen federal cyber defenses

“In general, we are now more prepared than ever,” Wales said.

“Russian malicious cyber actors have posed a major threat to the US government and critical infrastructure since before the invasion of Ukraine,” he said, “and will pose a threat after this current crisis is resolved.”

About the author


Leave a Comment