Threat of Russian cyberattack spurs energy companies to collaborate with US government

Cables meet at an office entry point inside the Greater Des Moines Energy Center control room in Pleasant Hill, Iowa on March 29.  (KC McGinnis for The Washington Post)
Cables meet at an office entry point inside the Greater Des Moines Energy Center control room in Pleasant Hill, Iowa on March 29. (KC McGinnis for The Washington Post)

The war in Ukraine has put them on high alert

DES MOINES — In February, as Russian troops massed on the Ukrainian border, executives from a major energy company here worked with U.S. energy and homeland security officials to draft a manual and help prepare the electricity sector to deal with potential cyberattacks from Russia.

Berkshire Hathaway Energy officials were part of the small group that drafted the guidelines, which stressed the importance of quickly sharing information about cyberattacks between industry and government.

As President Biden warned last month of developing intelligence that Russia was exploring possible cyberattacks on critical U.S. industries, companies such as Berkshire Hathaway Energy and the U.S. government are on high alert. After years of what critics considered lip service, cybersecurity collaboration between the federal government and some critical industries has taken hold, officials and industry leaders say, and it could be put to the test as Russian government hackers probe the defenses of US power plants, banks and telecom networks.

Biden warns US companies to prepare for Russian cyberattacks

“Collaboration between government and the private sector has improved exponentially over the past two years,” said Bill Fehrman, president and CEO of Berkshire Hathaway Energy (BHE), which supplies electricity generated by wind, solar, natural gas and coal to 12 million customers in the United States, Canada and Great Britain. “The main benefit,” he said, “is the more efficient transfer of information from the front line – the companies – to the government, and the retrieval of usable information from the government in a timely manner.”

In particular, he said, the declassification of government information “has gone from months to, in some cases, hours.”

Berkshire Hathaway Energy is so big — one of North America’s largest power companies by number of customers — that if its systems were disrupted by a Russian cyberattack, officials say, the impact on American lives would be considerable. At the same time, they say, practices like those adopted by BHE, whose CEO chairs the electricity sector group that coordinates with the federal government, can serve as a model for the industry.

As a cold wind blew through farm fields an hour northwest of Des Moines, the heat from a 10,000 horsepower engine and the smell of oil filled a compressor room. The engine, which purrs so loudly that workers wear earplugs, powers pistons that compress natural gas. Ogden Compressor Station is a stop along the 13,000 mile Northern Natural Gas Pipeline, part of BHE and dotted with similar stations every 60 miles or so. Compressed gas is piped from station to station like a relay, serving homes, hospitals and power plants from Bakersfield, Texas to Michigan’s Upper Peninsula.

Russian government hackers penetrated US energy and nuclear business networks

There has never been a cyberattack on any industrial control system within BHE and its 11 subsidiaries. This is due to the strict security measures imposed over the past eight years, said chief security officer Michael Ball. No operational network is connected to the Internet and the third-party suppliers who intervene to carry out maintenance follow strict rules, in particular the prohibition to connect any equipment external to the system.

But although its industrial control or operational technology (OT) systems are not connected to the Internet, the company still needs to ensure that the traffic flowing through its systems is not contaminated with malware.

In a campaign launched by the White House a year ago to bolster cyber defenses of critical sectors, Berkshire Hathaway Energy deployed sensor software in its OT networks to scan for malicious activity and vulnerabilities. The company’s chosen software, developed by a company called Dragos, detects suspicious traffic from nation-state actors. It also anonymizes the data and makes it available to analysts at the National Security Agency, the Department of Energy, and the Department of Homeland Security’s Cyber ​​and Infrastructure Security Agency. [CISA].

“We have confirmed that foreign states are active in their targeting of US energy industry control systems,” said Robert M. Lee, chief executive of Dragos, whose software allows the government to send queries to companies. to see if they have detected the presence of certain adversaries.

By the end of the first 100-day campaign, which focused on electric companies, nearly 60% of electricity customers in America were covered by companies that had or committed to having sensors commercial cyber threats to their OT networks, said Fehrman, who coordinated the effort. across the sector.

Work with the natural gas sector followed, and in January an effort in the water sector began.

“If the electricity is interrupted, or if the oil and gas is interrupted, or if the drinking water is interrupted, it really affects the lives of Americans,” said Anne Neuberger, deputy national security adviser for cyber. and emerging technologies. “Collaboration between businesses and with government, deployment of commercial sensors, deepening of information sharing have been an important contribution to the resilience of the sectors,” she said.

Although Biden’s warning last month was based on intelligence collected by the US government, the sensors were useful for additional information, US officials said.

Five years ago, Russian government hackers broke into the OT systems of some US power companies, but the intrusions weren’t immediately detected. It took months for some companies to realize they had been infiltrated. The sensors should significantly reduce that time, U.S. and company officials said.

Last year, Russian criminals launched a ransomware attack on Colonial Pipeline, shutting down the company’s administrative computer network. Fearing the malware could spread to the OT system, the company shut down its fuel pipeline for five days, sparking massive panic at East Coast gas stations and raising fears that Russia is targeting other critical companies .

New emergency cyber regulations for pipelines draw mixed reviews

The abundance of targets in U.S. industry prompted CISA in February to issue a call for companies to bolster their cyber defenses in a campaign the agency dubbed “Shields Up.”

Recently, a senior threat intelligence analyst from BHE’s Global Security Operations Center displayed a dashboard on a large screen hanging on the wall, displaying some 3,000 “indicators of compromise” or Russian IP addresses and others. digital clues related to cyberattacks. on Ukrainian government systems since January. The IOCs, as they are called, came from DHS, the Canadian Center for Cyber ​​Security, a government agency and the Department of Energy, as well as an industry and corporate information-sharing collective. deprived of threat intelligence.

In years past, companies could get this kind of data, but by the time it got to them, “chances are I already knew it,” Ball said. “Now it’s reversed, and we’re seeing things faster, more things we haven’t heard of yet.”

And, more importantly, according to company executives, the quality of some of this information has improved.

“We got ‘actionable intelligence’, extremely useful feedback that we can act on,” Fehrman said. This is intelligence obtained through US government penetration into adversaries’ systems overseas, and augmented with more information that, for example, tells companies what threat is really important, what techniques hackers are using , what machines they target — sometimes down to make and model — and what defensive measures should be taken accordingly.

A major step in facilitating some of the cooperation sparked by the Ukraine crisis was a Congressional mandate that CISA set up a 24/7 center for real-time information sharing. threat intelligence that includes personnel from key industry sectors as well as the FBI, DHS, NSA, Energy and Treasury Departments, among others. The result was the launch last summer of what CISA Director Jen Easterly called the Joint Cyber ​​Defense Collaborative.

JCDC has “created a beachhead,” said Tom Fanning, CEO of energy giant Southern Company and member of the Solarium Commission, who recommended the formation of the Collaborative. “As we mature the process, it will get better and better.”

The Department of Energy’s Energy Threat Analysis Center, which was established in January to enable business and government to jointly analyze threats and develop measures to address them, is one of main relays of the JCDC information sharing center.

It will also transmit this information to the JCDC. “If we see a threat to an industrial energy control system, we certainly want to make sure the information gets to other sectors like water and chemicals, [which] have similar systems,” said Puesh Kumar, director of the department’s Office of Cybersecurity, Energy Security and Emergency Response.

In February, the White House tasked CISA Executive Director Brandon Wales with ensuring the government can handle a cyberattack by the Russians, including any resulting physical consequences in the public or private sectors.

Biden’s executive order aims to bolster federal cyber defenses

“Overall we are better prepared than ever,” Wales said.

“Russian malicious cyber actors have posed a high threat to the US government and critical infrastructure since before the invasion of Ukraine,” he said, “and they will pose a threat after the resolution of the current crisis”.

Comments are closed.