The Next Big Cyberattack Could Turn America’s Lights Off
When a serious cyberattack against the U.S. begins, at first you’ll blame the weather, or an accident, or corporate incompetence. It’ll be a power outage that lasts a few hours at most. But things will start to get more unsettling when reports trickle out that the blackout is the work of hackers, most likely connected to the Russian government.
This isn’t science fiction—it happened in western Ukraine two years ago. That attack, the first known to take out an electrical grid, used malicious software known as a Trojan to briefly black out several hundred thousand people. The hack forced Ukrainians to start taking their country’s conflict with Russia much more seriously, says John Hultquist, director of intelligence analysis at security company FireEye Inc. The power outage, and another that followed in the capital in 2016, “took the front from the east to Kiev,” he says. “You can’t ignore it when the lights go out.”
So far, most Americans and Europeans haven’t been forced to reckon with the dangers of a large-scale cybersecurity breach, even as such attacks have become routine. Although close to half of the U.S. population had their Social Security numbers, addresses, and birthdates stolen from credit-monitoring company Equifax Inc. earlier this year, the usual round of press outrage and congressional finger-wagging didn’t yield any serious changes. Equifax Chief Executive Officer Rick Smith resigned and lost his 2017 bonus, but he got a retirement package worth at least $18 million.
But the kind of attack that companies will finally take seriously, something like the one in Ukraine, is coming. Security experts call such a hack cyberphysical, meaning it spills into the real world, causing property damage and perhaps deaths. Experts have already found evidence that the hackers responsible for Ukraine’s outages have been quietly rolling into the systems that run U.S. energy grids. On Oct. 20, the FBI and Department of Homeland Security issued an alert warning of a “multistage intrusion campaign” aimed at industrial control systems in critical infrastructure, including in “the energy, water, aviation, nuclear, and manufacturing sectors.”
Attacks on infrastructure are extremely tough to pull off. Most power grids include a tangle of interconnected systems, some online, some offline, and some decades old. Intelligence analysts say only five countries can hack them: the U.S., China, Russia, North Korea, and Iran. None, as far as we know, have successfully disabled physical assets beyond computers on American soil.
Even so, U.S. companies are woefully unprepared. Industrial control systems have been connected to the internet in recent years, with little thought given to securing them. Many software systems patch security holes daily; at power plants, well-known vulnerabilities may not be fixed for years, partly because there still isn’t a consensus on whether the manufacturer, installer, or utility operator bears responsibility for updating the software, says Marina Krotofil, a Ukrainian-born FireEye analyst. “There was no security in the past, because there was no need,” she says. Many critical infrastructure systems, including natural gas pipelines and storage, are almost entirely unregulated in the digital realm.
Russian hackers, meanwhile, continue to innovate. Krotofil says many low- and midlevel hackers have moved on from hijacking Windows PCs and are writing malware designed to take over power grids. “You see so many exploits, because so many people got into this field,” she says.
So far, Ukraine has been Russia’s primary target. The Kremlin-backed group that caused the blackouts, identified by cybersecurity researchers as Sandworm, has also been tied to a large-scale hack that briefly crippled Ukraine this summer. The group used a well-known ransomware program, Petya, that normally attacks a target’s computer, encrypts the data, then offers to decrypt it for a ransom. But the hackers came up with a variation, NotPetya, that simply destroyed the data.
The hackers spread the virus by targeting the main application that Ukrainians use to file their taxes, and in doing so, they took down the system Ukrainian pharmacies use to keep track of rare prescription drugs and the radiation monitoring system at Chernobyl. Banks, airports, and government offices were also affected. “It was like nothing we’d ever seen before,” says Krotofil. “The entire country was paralyzed.”
There’s evidence to suggest the blackouts and NotPetya were just warmups for a hack in the U.S. Sandworm’s code has been found on computers run by American electrical operators, according to FireEye. And in July security groups reported that another group, believed by U.S. intelligence agencies to be Russian, had accessed computers at a dozen U.S. power plants, including Wolf Creek, a nuclear plant in Kansas. Russian hackers haven’t done anything malicious to these systems, but such stories are troubling, especially when combined with their meddling in the 2016 U.S. presidential election and their smaller-scale attacks in Europe, such as the disabling of a French television network.
The same thing that’s kept the nuclear peace between the U.S. and Russia has also stopped Russia from launching a cyberphysical attack in America. The U.S. could respond to a Russian strike with its own crippling cyberattack along the lines of Stuxnet, a worm said to have been developed by the U.S. National Security Agency and Israeli intelligence that sabotaged Iranian nuclear centrifuges starting in 2009. (Iran has been active in the U.S. as well. In 2016, the Department of Justice announced that it was bringing hacking charges against seven Iranians for crimes that included accessing a control system for a dam in the New York City suburbs.) Martin Libicki, a visiting professor at the U.S. Naval Academy and the author of Cyberspace in Peace and War, says he worries that a serious hack could escalate into outright war. “My No. 1 fear is not the direct consequences of a cyberattack,” he says. “It’s if we get into a conflict with another country and there’s a cyberattack, we will overreact, or they will overreact.”
How long can fear of retaliation hold off a “cyber Pearl Harbor,” as security researchers sometimes call it? Peter Singer, a fellow at the Washington think tank New America, says the phrase is so overused it’s basically fodder for a drinking game, but the past few years have been sobering. “We’ve seen a series of lines crossed that we thought were no-go areas,” he says. “The Russians have crossed lines and, more importantly, done so without punishment. That sends a signal, not just to them but to everyone else, that, ‘Hey, you can get away with this.’”