An insidious and highly threatening Russian campaign has laid the groundwork for taking down major portions of the U.S. electrical grid whenever the order is given. We must do everything possible to harden our cyber defenses and deter hostile nations from such an attack.
The campaign began in early 2016 and was active as late as last fall, according to a worrisome report in The Wall Street Journal. The federal government has not said what its investigations have revealed or how many firms were affected, although last March it accused Russian intelligence of being responsible.
But the Journal reported that Russian hackers attacked companies related to the U.S. electrical grid in 24 states, Canada and the United Kingdom. In one of their exploits, they took control of a dormant website in Columbia belonging to web developer Matt Hudson and used it to “phish” for credentials of persons directed to it from another compromised site. Mr. Hudson told the Journal he had no idea that his website had been hacked.
An official with Symantec, a private cyber security company, told the Journal that at least 60 utilities were targeted, including some outside the United States. Two dozen were breached, and at eight or more companies hackers gained access to the industrial control systems that run the grid.
The success of Russian hackers in gaining access to some industrial control systems not directly connected to the internet should be a flashing warning sign against complacency in the security of voting machines that, like the industrial control systems, allow a few trusted technicians remote access.
An in-depth investigation by the Journal demonstrates how the Russian hackers succeeded. They targeted small firms in utility supply chains and online publications read by professionals in those businesses. When they succeeded in getting access to a small firm’s email, they would send out emails in its name designed to get recipients to upload malware that would capture their credentials and passwords, and work their way up the supply chain until they reached technicians with access to the protected industrial control systems. If successful, they would capture the credentials needed to give them access as well.
It was a devilishly clever campaign, and no one is sure whether it has been totally blocked. There may still be utilities with malware planted by the Russian hackers that would allow them to shut down operations.
Clearly it is necessary to upgrade security systems to make such phishing less successful and to detect and undo any damage that occurs before it is exploited. But the big question facing the nation is how to deter Russia from trying such exploits in the future. Unless that happens, Russia, China, Iran, North Korea and other hostile actors are certainly going to try again.