Several U.S. government agencies issued an alert warning of the discovery of cyber tools that can allow hackers to overtake computer systems at energy facilities.
Using the tools, a hacker would be able to get into a company’s security network and “disrupt critical devices or functions.” The alert was released by the Energy and Homeland Security Departments, the FBI and the National Security Agency.
U.S. agencies did not identify the group responsible for the tool, but an analysis from Mandiant, a cybersecurity firm that analyzed the tools, said in a report it was likely state-sponsored and is consistent with Russia’s historical interests. The tool, labeled INCONTROLLER by Mandiant analysts, has “exceptionally dangerous” capabilities that can lead to “disruption, sabotage, and potentially physical destruction” of targeted equipment.
“While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia’s history of destructive cyber attacks, its current invasion of Ukraine, and related threats against Europe and North America,” the Mandiant report says.
Analysts said it is similar to other programs that caused a 2016 power outage in Ukraine and sabotaged the Iranian nuclear program around 2010.
The alert is the latest in a series of cybersecurity risks to U.S. companies and parts of critical infrastructure. U.S. officials have already warned companies operating pipelines and other pieces of the energy grid to be on the lookout for possible cyberattacks from Russia in response to severe economic sanctions as a result of the invasion of Ukraine.
Betsy Jones, COO of critical infrastructure cybersecurity provider Fortress, said utility companies have several systems in place to detect interference and the federal government has stepped up to monitor for potential threats.
“If I’m monitoring the traffic, you’re going to have both the intelligence community as well as the utility companies themselves looking at the traffic and trying to identify whether something looks nefarious,” Jones said. “If it is, the other thing that we’ve been really successful in doing is creating, I’ll say, a 911 clearinghouse where that information can get shipped out in pretty quick fashion across so if it happens to one, then everybody knows and everybody can be basically put out on the lookout for it to happen and hopefully to stop it in its tracks.”
After a pipeline hack that disrupted gas supplies for much of the East Coast in 2021, the Transportation Security Administration ordered pipeline operators to bulk up cybersecurity to prevent future issues.
Jones, a former cybersecurity chief for Exelon, said the burden to protect the security of the networks that operate the country’s utility infrastructure needs to fall on the companies because every network and the way it operates is unique.
“It would be very difficult for a federal agency to keep track of all of that,” she said. “What the what they’ve basically done is say they’ve given us minimal viable standards to say, ‘at the most or at the minimum, you need to do this to protect your infrastructure.’”
While the federal government has stepped up its efforts to intervene in cyberattacks, there is still more to be done. Figuring out how to prioritize the timing against the specificity of the warnings is one of the main challenges.
“It’s kind of the quintessential question that we’re grappling with right now, of how far do you need to go before you can release the information?” Jones asked. “Is there value in just pushing it out and we’ll figure out reactionary stuff on our own and leaving it up to us or do you have to put collective steps 1 through 10 on there before it leaves the door?”
Another challenge utility companies are facing is a lack of minimum security standards from vendors that supply the parts and machinery necessary to operate.
“That’s that is not something that is standardized right now, that is our biggest opportunity,” Jones said. “So, look outside of the utilities and start to look at who we’re connected to. And are those connected companies expected to uphold the same type of cyber standards right now? They are not.”
Jones said there is also a lack of cyber talent to go around for all the companies in the industry and it will be important to leverage the limited pool of experts and figure out a way to communicate effectively between utility companies and their vendors.
“Is there a better way that we can leverage that talent? Because it feels right now like everybody’s vying for the same type of people to work and there’s not enough coming out of ... the collegiate level,” she said.