“The digital infrastructure that serves this country is literally under attack,” Director of National Intelligence Dan Coats warned starkly last week. Most commentators took his declaration that “the warning lights are blinking red” as a reference to state-sponsored Russian hackers interfering in the upcoming midterm elections, as they did in the 2016 presidential election. But to focus on election interference may be to fight the last war, fixating on past attacks while missing the most acute vulnerabilities now. There’s reason to think that the real cyberthreat from Russia today is an attack on critical infrastructure in the United States—including one on the power grid that would turn off the lights for millions of Americans.
We know what Russia is capable of because we can see what it’s done elsewhere. A staff report from the Senate Committee on Foreign Relations found evidence that ahead of 2016, Russia had attempted to manipulate elections in 18 other countries. Now intelligence agencies and security companies have connected Russian hackers to the shutdown of a German steel mill, the cutting off of phone and Internet service to some 900,000 Germans, and most ominously, two disruptions of the power grid in Ukraine. The right takeaway from Russian interference in 2016 is not just that Washington needs to protect American elections; it’s also that what Russia does in cyberspace in its near abroad should be a warning about what can be done in the United States.
In December of 2015, Russian hackers turned off the lights in the Ivano-Frankivsk region of Western Ukraine, leaving some 230,000 customers in the dark. The attack shut down 30 power substations and disconnected them from communications systems so they could not be remotely restarted. A second attack a year later targeted substations in Kiev. Ultimately, the attacks were relatively contained: the 2015 power outage in Ivano-Frankivsk lasted only six hours, and the 2016 attack affected just 20 percent of Kiev’s power for only about an hour.
But the relatively limited nature of the Ukraine attacks should not be cause for comfort. It is possible that Russia intended to use the attacks to send a message to Ukraine rather than to inflict real harm. More ominously, they may have been trial runs to test Russian cyber-capabilities.
To begin with, the attacks demonstrated a worrying level of competence and sophistication on the part of the Russian hackers. “To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it,” Robert M. Lee, an expert in control system security, told Wired. “And this was highly sophisticated.” The attackers undertook extensive research and reconnaissance operations to understand their target and then executed an attack in multiple stages against multiple targets simultaneously.
Beyond their planning and operational capabilities, the attackers also developed better tools for carrying out these types of attacks. The malware used in the 2016 attack was far more sophisticated than that in the 2015 attack. Rather than reusing previously known malware designed for business systems, the attackers used malware that was purpose built and could be used to cause widespread outages against multiple targets. These technological improvements between the two attacks suggest that they provided an opportunity for Russia to use Ukraine as a testing ground.
Given the extent of Russian cyber-capabilities, it is likely that if the Russian government had wanted to cause more widespread and longer-lasting outages in Ukraine, it could have—by, for example, deploying more teams to cause simultaneous shutdowns of multiple regions. But Russia has other leverage points in Ukraine—notably, a shared border and Ukraine’s large ethnically Russian and politically pro-Russian population—that offer other options for exerting influence in Ukraine. That adds to the theory that the cyberattacks were only trial runs, practice for when the capability to shut down a power grid would actually offer Russia a strategic or tactical advantage.
Several aspects of the attacks on Ukraine are alarming from a U.S. perspective. Those attacks relied on fairly basic tools: they began with spear-phishing emails, exploited known vulnerabilities, and used a family of malware that had been used previously. At this point, Russia has likely developed far more sophisticated cyber-capabilities, akin to the Stuxnet malware that targeted Iran’s nuclear program and caused actual physical damage to centrifuges. In Ukraine, grid operators could only sit and watch as hackers virtually moved their mouse across the screens of their control units to shut down power systems, which at least alerted them to the fact a cyberattack was under way. In a more sophisticated attack, grid operators might be left completely mystified about why the power went out.
Just how vulnerable is the U.S. grid to an attack akin to the one in Ukraine? According to the U.S. intelligence community, very. In 2014, Admiral Michael Rogers, then director of the National Security Agency, told Congress that malware attributed to Russia had been found on critical infrastructure throughout the country. But Rogers pointed out that Russia and other adversaries at the time lacked a strong motive to carry out such an attack.
In the event that Russia decides it is in its interest to turn off the lights, what we don’t know is whether utilities would be able to detect and thwart such an attack. Diagnosing vulnerabilities would require action from a federal agency, but so far nothing has been done. Grid operators have some ability to conduct their own security assessments but tend to be strapped for resources and plagued by disparities among different operators. Some utilities are investing millions in security, while others must choose between trimming trees along power lines or upgrading security equipment. Limits on rates set by utility boards simply do not allow some utilities to do both.
Further, in a network such as the U.S. power grid, the potential for failures to cascade is very high. One illustrative example was the 2003 blackout of much of the northeastern United States and Ontario, which was caused by a local problem at one energy provider in Akron, Ohio. Thus, local utilities can invest in cybersecurity to prevent Russian attackers from disrupting their power directly, but the failure of other utilities to secure their systems still makes everyone vulnerable.
It is also worth noting that, in at least one respect, the U.S. power grid is even more vulnerable than the Ukrainian one. When hackers took out the grid’s electronic controls, the Ukrainians were able to revert to manual operation, a capability that many utilities in the United States have eliminated. Without the ability to revert to manual operations, a cyberattack could not only shut down the power grid—it could keep it down.
Defending the Grid
There’s already ample evidence that Russia has been carrying out reconnaissance against the U.S. electric grid. A U.S. Department of Homeland Security bulletin published in March of this year warned critical infrastructure operators of the threat from Russian actors, stating that the campaign was “targeting industrial control system (ICS) infrastructure.” It noted a particular threat to six sectors of the economy including energy, nuclear facilities, and water, a critical dependency for power production.
Given these threats, Washington must take urgent action. That should start with U.S. President Donald Trump moving quickly to deter foreign governments from engaging in the reconnaissance necessary to attack the grid. He must make clear that if the United States identifies foreign adversaries interfering with its power systems, it will view their presence as a hostile act subject to U.S. response. The sanctions levied on Russia in March of 2018 are, in part, a response to Russian probing of the energy sector, but on their own they are not sufficient for establishing a norm against such activity. The president should directly command foreign adversaries to get out of U.S. critical infrastructure and threaten consequences if they don’t.
Next, Washington will need to determine whether Russian or other foreign adversaries heeded this message. The intelligence community may be able to assess compliance, but the best way to ensure security is for government-appointed inspectors to directly verify whether utility networks have been compromised. (Trump will first need to determine whether his office or the independent Federal Energy Regulatory Commission has the authority to order these inspections, and, if they do not, should seek permission from Congress to do so.) Utilities should be encouraged to cooperate on a voluntary basis as well. State regulators, who have authority over power distribution to homes and businesses, should also flex their regulatory muscle.
These assessments might uncover signs of adversary activity, but what’s most important is that they will reveal vulnerable and misconfigured systems in need of increased protection and monitoring. Congress must then ensure that utilities have the resources necessary to protect themselves by passing legislation to provide necessary funds.
Mandating that utilities charge a dedicated security fee on each account, similar to the Universal Service fee charged on all phone accounts, would be the most direct and efficient way to ensure that they receive the funding necessary to build strong security programs. Concerns that the additional surcharge would be burdensome for low-income consumers could be addressed through additional federal funding of the Low Income Home Energy Assistance Program.
Finally, if interference is confirmed, the president should make sure that U.S. Cyber Command is prepared to conduct counteroffensive operations against Russia and to coordinate that activity with the energy sector. Rapidly building out the mechanisms so that this coordination is possible when it is needed should be a priority of both Congress and the White House.
Right now, Russia might not have a motive for carrying out an attack on the U.S. power grid. Judging by the headlines coming out of Moscow following the Helsinki summit, Russia is quite happy with its current relationship with the Trump administration. The honeymoon period between Trump and Russian President Vladimir Putin has lasted longer than many Russia experts predicted, but a souring of relations is likely imminent, as the two countries clash over Iran, Syria, and other foreign policy issues. When that souring occurs, Russia may decide to use what it learned in Ukraine against the United States. If there is a silver lining to the cozy relationship that Trump has built with Putin, it may be that he has bought the United States valuable time to secure its grid and other critical infrastructure against Russian cyberattacks. That time should not be squandered.