Russian hackers present cybersecurity threat to utilities

Utilities have been warned by security officials of the danger Russian cyber attacks may pose to their infrastructure.
Published: Wed 18 Apr 2018

The growing tension between Russia and the West is likely to affect countries’ critical infrastructure as utilities are vulnerable to cyber attacks, according to security officials.

The UK National Grid, the British transmission networks operator, has been put on high alert due to an increasing threat of suffering Russian cyber attacks.

The utility was reportedly contacted by the National Cyber Security Centre (NCSC), which is a branch of the Government Communications Headquarters (GCHQ), the British government intelligence agency. The NCSC warned National Grid on the threat posed by Russia and offered advice on how it can suitably protect itself against the risk.

There are concerns that Russian hackers might have access to UK critical infrastructure through utilities - an attack on such companies can give them the capacity to stage dangerous and costly power outages. Widespread power cuts caused by criminal action have the potential to hugely affect other services, such as health, transport, aviation and others. However, it is not known how long such an outage could last.

Earlier this week, British and American cybersecurity officials have warned that Russia launched a global hacking offensive that targeted millions of computers, possibly laying the foundation for an attack on critical infrastructure at any given time.

The recent rising hostilities between Russia and the West follow the poisoning of Russian former intelligence agent and British spy Sergei Skripal and his daughter Yulia. The incident took place in the British town of Salisbury on 4 March, where the victims were found poisoned with a military-grade nerve agent, developed by the Soviet Union since the 1970s, known as Novichok.

Tensions worsened after the US, UK and France called an airstrike in Syria, which was condemned by the Russian government - an ally of the Assad regime.

The British government has accused Russia of carrying out the attack. The government has then placed a series of diplomatic sanctions on Russia, including the expulsion of 23 Russian diplomats from the UK. Several Western countries, such as the United States, Canada, Australia and several EU countries, followed suit, expelling more than 100 Russian diplomats altogether.

Cyber attacks on utilities

Such possible attacks by Russian or Russia-backed agents are all the more noteworthy on account of the country’s track record of hacking into European and American companies and organisations, including utilities.

For instance, in July 2017 it was reported that Russian hackers had been able to infiltrate Irish utility ESB by sending malware disguised in emails sent to members of staff.

The attack was deemed unsuccessful and the power network did not suffer any disruption as a consequence, but it is possible that the hackers managed to steal information from the company’s systems. Had it been successful, hackers could have had the power to cut electricity for people across Ireland and Northern Ireland.

US utilities have been targeted as well. On 15 March, 2018, the US Department of Homeland Security and the FBI reported that Russian hackers had been able to infiltrate US critical infrastructure - including energy and nuclear companies - since at least March 2016. According to American security officials and security firms, hackers could shut down power systems, sabotage energy grids and cut electricity, as they have acquired access to critical control systems in power plants. Both agencies first warned utilities about the threat in June 2017.

It was also reported in December 2016 that a malware code associated with Russian hacking operations was found in the systems of Burlington Electric, a utility in Vermont. Though the attack did not go so far as to cause any disruption or to penetrate the electrical grid, it highlights the vulnerability of utilities to the actions of hostile state agents and the potentially devastating consequences should an attack be successful.

Russia has probably been responsible for carrying out successful attacks in the past, and Ukraine can be cited as an example in this respect. In December 2015 the electrical grid in Kiev was targeted by cyber attacks; power distribution systems were affected and over 200,000 residents were left without power for hours. The Ukrainian government has accused Russia of carrying out the attack. In fact, the malware that was used in this cyber breach in Ukraine was found in utilities’ systems in the US as well.

A year later, in December 2016, Ukraine fell victim to another cyber attack that caused a mass blackout in its capital; and again Russia was blamed for the attack by the Ukrainian government. Six months after the incident, security experts found that the malware that was used in the cyber attack posed a larger threat to the power industry.

The malware could infect electricity substations and circuit breakers using industrial communication protocols which are standardised across a number of types of critical infrastructure – from power, water and gas supply to transportation control.

The UK and US governments have also accused Russia of launching a ransomware attack in Ukraine in 2017, which affected the Ukrainian financial, energy and governmental sectors and subsequently spread across the world.

The NotPetya attack, as it became known, was first reported in Ukraine where government, companies, banks, the state utility and others were taken offline, and infected computers went on lockdown until a requested ransom was paid by the user. However, even after the ransom was paid, computers remained shut down. Ultimately, users in France, the UK, Denmark, the US and several other countries were affected by the malware.

 

Russian president Vladimir Putin has been repeatedly accused of being directly involved with cyber threats.

Government policies against cyber attacks

In light of the critical threat faced by Western countries of critical cyber attacks, government agencies are thus encouraging utilities to prepare as robustly as possible against the threat of cyber attacks from state-backed hackers. Governments are also starting to unveil new policies to increase protection from hostile foreign agents.

The UK government, for instance, announced in January 2018 that it will fine companies if they do not take appropriate cybersecurity measures to protect from such attacks. Fines can be up to £17m in value, and can be applied to companies in the energy, health, transport and water sectors. This is part of the Network and Information Systems (NIS) Directive, which will be effective as of 10 May 2018.

Intentions to implement the directive were first reported in 2017, after the WannaCry ransomware cyber attack hit the British National Health System (NHS) and infected computers in more than 150 countries, reaching an estimate of 300,000 users.

Following the NIS directive, sector-specific regulators will assess companies’ systems to ensure they are protected enough against the possibility of such attacks. These regulators will have the power to issue legally binding security instructions and to apply fines, if appropriate. In addition, a reporting system will be in place for businesses to easily report security breaches and IT failures. However, fines will only be placed as a ‘last resort’ and will not be applied if the entity is found to have assessed risks appropriately and taken adequate security measures.

Margot James, the Minister for Digital and the Creative Industries in the UK, said in a statement, “We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cybersecurity.”

The NCSC has published a detailed guide on how to improve security measures to help companies comply with the new directive. The guide cites the directive’s objectives as security risk management, systems defence against cyber attacks, detecting cybersecurity events and minimising the impact of cybersecurity threats. It includes advice on topics such as appropriate risk management approaches, protecting identity and access management systems, and data protection.