Vermont municipal utility Burlington Electric Department found itself in the eye of a media storm as the year 2016 ended amid various stories about cyber intrusions and Russian hacking of the U.S. utility grid, which turned out to be incorrect.
The head of the utility, Neale Lunderville, remained upbeat and confident in the utility sector’s cybersecurity measures and its partnership with federal authorities, despite federal officials leaking information that was not accurate and prompting Burlington Electric to defend itself over a holiday weekend among incorrect news stories that the utility’s grid was hacked.
“It is terrible when a person leaks inaccurate information,” but “we have a good relationship with our federal partners,” Lunderville told The Foster Report on January 4.
Those federal partners include the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), which on 12/29/16 released a Joint Analysis Report (JAR) that provided details of the tools and infrastructure used by Russian intelligence services to try and compromise or exploit infrastructure networks associated with a range of U.S. government, political, and private sector entities. The JAR also provided information to network operators on how to identify, detect, and thwart Russia’s malicious cyber activity, DHS and FBI said in a 12/29/16 joint statement.
The sequence of events that landed Burlington Electric among international media stories included an erroneous story on 12/30/16 from the Washington Post based on unnamed sources. That original story, which went to press on a Friday evening and has since been corrected, said unnamed federal authorities told the newspaper that computer code associated with Russian hackers had been discovered by a Vermont utility and that the nation’s electricity grid had been penetrated due to malware on a utility laptop computer.
In the online media realm, various news outlets issued their own stories based on the information in the original Washington Post story. The problem for Burlington Electric was the inaccuracies in the story, so late on 12/30/16, and for several days after that, it posted statements on its website and spoke with reporters, indicating what really took place, emphasizing that neither its power grid nor its customer information systems had been compromised.
Following the release of the JAR and a briefing from DHS officials on malware code used in Grizzly Steppe, the name that DHS gave to recent malicious cyber activity from Russia, Burlington Electric scanned all computers for the malware signature, the utility said in the statement. The utility detected suspicious internet traffic in a single laptop that was not connected to utility grid systems or operating infrastructure, so it isolated the laptop and alerted federal officials of the finding.
“We spoke with federal authorities on Friday,” after “we found traffic with an IP address that was listed in the JAR,” Lunderville told The Foster Report. Federal officials have indicated that the specific type of Internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric, so the utility was quite surprised by the story in the Washington Post, he said.
Shortly after the story appeared, Burlington Electric posted a statement on its website and began informing state officials in Vermont that media stories about the utility grid being hacked were not true, Lunderville said.
Spending the weekend of New Year’s Eve on conference calls with other utilities and American Public Power Association members was not ideal, but Lunderville wanted to make sure everyone had accurate information, he said in a brief interview.
Burlington Electric, like every utility, takes cybersecurity very seriously and is continuously monitoring its computer systems for codes or internet traffic associated with hacking operations, and the scanning being done following the JAR report and guidance from DHS was not unusual, Lunderville said. A utility employee checked email on Yahoo.com, which prompted detection of suspicious internet traffic so the utility isolated that laptop and notified authorities, as it was supposed to do, he explained.
“We wouldn’t have done anything differently had the story not appeared online,” Lunderville said, adding “I’m proud of our team” and the way they responded to all the attention. As a relatively small utility with 120 employees, it did not expect to be the center of so many stories, but in today’s environment “we have to be ready for anything,” he said.
As for the source of the initial story from unnamed federal sources, Lunderville said he will not let the experience sour Burlington Electric’s partnership with federal authorities, who have been apologetic to the utility. There needs to be trust among the private sector and government officials because those federal agencies have the intelligence needed to help companies and stay aware of possible cyber intrusions, he told The Foster Report.
“Unfortunately, someone breached that trust,” by leaking incorrect information to a newspaper, which lead to multiple stories repeating the false information, but Burlington Electric will continue to work with federal agencies, the North American Electric Reliability Corp. (NERC), the Electricity Information Sharing and Analysis Center (E-ISAC) and others to maintain vigilance on cybersecurity, Lunderville said.
The E-ISAC offers security services to owners and operators of the power grid, working in tandem with NERC to help utilities with technical expertise, spotting trends and to provide training on power sector security initiatives.
In the JAR document from the FBI and DHS, the agencies provided information on computers, servers, and other devices that Russian intelligence services use to try and gain access to devices and credentials or passwords, through spearphishing emails or texts. The use of spearphishing involves forged emails or other messages to manipulate users into opening malicious software or clicking on malicious links, the agencies noted in their joint statement.
Because this can involve using Internet Protocol (IP) addresses that also host legitimate websites without their owners’ knowledge, the JAR identifies IP addresses for companies to look for on a regular basis. In some cases, the cybersecurity community was aware of the IP addresses and infrastructure used, and in other cases the information has been newly declassified by the U.S. government, the agencies said.
Spearphishing attacks can lead to credential or password theft to allow an entry point for actors to steal or manipulate data or disrupt infrastructure operations, such as the power outage in the Ukraine in 2015 that was the result of a cyber attack, NERC and the E-ISAC have noted.
Senate Hearing. That event was mentioned during a Senate Armed Services Committee hearing on 1/5/17, with government representatives testifying on the growing cyber threats to governments and private infrastructure. Those testifying were James Clapper, director of national intelligence, Marcel Lettre, undersecretary of defense for intelligence, and Michael Rogers, commander of the U.S. Cyber Command and director of the National Security Agency.
The three witnesses provided a joint statement that said despite ever-improving cyber defenses, nearly all U.S. information, communication networks and systems will be at risk for years to come due to remote hacking that inserts compromised hardware or software. These malicious steps could come from trusted insiders or through mistakes by system users, the witnesses told the committee.
“Over the next five years, technological change will only accelerate the intersection of cyber and physical devices, creating new risks” to governments and infrastructure that is critical for national and economic security, the witnesses said.
The intelligence community has been vigilant in detecting and sharing cyber threat information with DHS and private industry partners, and will continue to do so, they told the Senate panel.
The fallout from the Burlington Electric development included two statements from Sen. Patrick Leahy (D-Vt.), the first of which, on 12/30/16, was based on the Washington Post story. That statement referred to Russian hacking and attempts to penetrate the utility grid as a “direct threat to Vermont.”
On 1/3/17, Leahy posted a statement on his website that he is grateful that “the initial news report was inaccurate and that the affected laptop of a Vermont utility was not connected to the power grid.”
However, “this does not change the fact that we face serious threats to our critical infrastructure, and I will continue to do everything I can to protect Vermont and the rest of the country from cyber threats. I have asked my staff to request a briefing from federal agencies,” Leahy said.
Leahy commended Burlington Electric for responding to the notice from DHS officials and reporting what it found, as it was asked to do.
By Tom Tiernan TTiernan@fosterreport.com
This article appears as published in The Foster Report No. 3130, issued January 6, 2017
Copyright © 2017 by Concentric Energy Publications, Inc. All rights reserved.