How To Stop Russia From Hacking America’s Power Grid

Foreign hackers are going after our electric utilities. We could have stopped the vast majority of their attacks.

abandoned utility control room

(Patryk Grądys/Unsplashed)

Hide your control systems, hide your power plants, the Russians are hacking everybody out there, specifically American utilities as they gear up for future acts of cyber warfare says the Department of Homeland Security. Apparently, hundreds of vendors working for utility providers have been successfully hacked by Russian groups, and a few hackers actually made it to critical control mechanisms, putting them “in a position to start flipping switches.” Even more ominously, they’re starting to automate their attacks, which could mean they’re scaling up to take stealthy control of as much of American infrastructure as possible.

Now, this may sound scary, but the situation is actually not quite as grim as it seems. Russian president Vladimir Putin isn’t going to be presented with a button he can press to plunge the United States into pre-industrial times. American energy grids, pipelines, and power plants are far too scattered and decentralized for that to be possible. Our infrastructure is built to handle quite a bit of disruption, malicious or accidental. Likewise, the tactics being used are rather boring and conventional, in no small part because they were being used on companies long known for connecting industrial control systems to the internet with no real safety measures just to make working with the machines easier.

Another bit of good news is that according to an expert on the subject, cyber security consultant Robert M. Lee, the DHS is exaggerating what the Russian viruses did in the control systems they were able to infect. Instead of controlling switches, they took screenshots to figure out with what they were dealing. These systems are frequently not configured the same way across different plants and control nodes so exploits that could sabotage one wouldn’t work on another. If you’re going to attack them en masse, you’ll need to develop a toolkit with hundreds, if not thousands of different exploits and configurations. The hacks we’re seeing show that the Russians are nowhere near that stage and are still trying to learn the lay of the digital land.

And considering that computer security practices at power plants and other utilities are far from the best, it’s unsurprising they were so successful. Their targets routinely found excuses not to update software, forgo patching well-known vulnerabilities, create holes in security protocols and mechanisms, and plug sketchy USB sticks into ports where they don’t belong. The hacks to which they feel prey were also quite conventional; fake emails to steal credentials and trick users into downloading spyware, attacks on sites favored by their targets with infected ads, recruiting insiders, and finding systems that should have been air-gapped, or not connected to any network, but actually were.

Something as trivial as good security practices would’ve prevented most of these attacks with ease. Unfortunately, despite working on machines which are natural targets for foreign hackers looking to wage war on the United States, the security lectures they should have received from their IT departments seem to routinely go into one of these vendors’ and workers’ ears and out the other. Forcing timely updates, better spam filters, routine system backups, and constant automated monitoring for anything out of place would go a long way to securing our grids, and these are the standards the DHS should be demanding from the companies. Right now, they’re putting themselves and us at risk out of negligence and sloth.

We could have tolerated a learning curve as they spun up to speed on the practices required to protect their digital assets from Russian, Chinese, Iranian, and North Korean hackers. But today, being on top of your security is absolutely critical and after a decade of warnings, most of the attacks we saw should not have happened if the victims were paying attention. So the real story here isn’t so much that Russians were able to infect electric utilities, it’s that these utilities let them despite being told for years that they were targets for foreign adversaries and they would use the very tactics successfully used against them.

Politech // Cyber Warfare / Cybersecurity / Hacking / Russia