by Selena Larson - August 6, 2018
The US electric grid is not about to go down. Though it’s understandable if someone believed that. Over the last few weeks, numerous media reports suggest state-backed hackers have infiltrated the US electric grid and are capable of manipulating the flow of electricity on a grand scale and cause chaos.
Threats against industrial sectors including electric utilities, oil and gas, and manufacturing are growing, and it's reasonable for people to be concerned. But to say hackers have invaded the US electric grid and are prepared to cause blackouts is false.
The initial reporting stemmed from a public Department of Homeland Security (DHS) presentation in July on Russian hacking activity targeting US electric utilities. This presentation contained previously-reported information on a group known as Dragonfly by Symantec and which Dragos associates to activity labeled DYMALLOY and ALLANITE.
These groups focus on information gathering from industrial control system (ICS) networks and have not demonstrated disruptive or damaging capabilities. While some news reports cite 2015 and 2016 blackouts in Ukraine as evidence of hackers’ disruptive capabilities, DYMALLOY nor ALLANITE were involved in those incidents and it is inaccurate to suggest the DHS’s public presentation and those destructive behaviors are linked.
Adversaries have not placed “cyber implants” into the electric grid to cause blackouts; but they are infiltrating business networks – and in some cases, ICS networks – in an effort to steal information and intelligence to potentially gain access to operational systems. Overall, the activity is concerning and represents the prerequisites towards a potential future disruptive event – but evidence to date does not support the claim that such an attack is imminent.
The US electric grid is resilient and segmented, and although it makes an interesting plot to an action movie, one or two strains of malware targeting operational networks would not cause widespread blackouts. A destructive incident at one site would require highly-tailored tools and operations and would not effectively scale. Essentially, localized impacts are possible, and asset owners and operators should work to defend their networks from intrusions such as those described by DHS. But scaling up from isolated events to widespread impacts is highly unlikely.
Threats against the electric grid and other ICS industries continue to increase in both number and strength – for instance Dragos just publicly identified a new activity group engaging in electric utility information gathering – but the US is not on the precipice of a hacker-caused blackout.