Farmington utility always on guard against cyberattack
European malware not detected in U.S. systems
FARMINGTON — While cybersecurity experts mull a troubling new strain of malicious malware that wreaked havoc on a power system in Europe, Farmington’s largest regional power supplier isn’t losing any time staying on top of that and any other brewing threats to the Four Corners grid.
Farmington Electric Utility System Director Hank Adair promptly met with cybersecurity adviser Linda Jacobson Quinn, the utility’s regulatory compliance manager, when a Level 1 public alert came out on June 13.
“None of this has been detected in the U.S. at this time,” Adair said of the latest threat to target the Ukrainian power system.
The latest in a series of alerts and updates about the “Crash/Override” malware does not point to an immediate threat to U.S. power systems, but the U.S. Department of Homeland Security also doesn’t rule that out in the future if the malware is modified to affect a domestic target.
“There is no evidence to suggest this malware has affected U.S. critical infrastructure” Homeland Security’s National Cybersecurity and Communications Integration Center reported June 13. “However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.”
Farmington takes security seriously
Quinn said Farmington complies with all regulatory reporting and security requirements.
Adair and Quinn said there are many layers of security and malware threat detection systems protecting Farmington’s power system, including a separate network covering Farmington’s bulk distribution network.
“We’re among the more regulated bodies when it comes to cybersecurity," Quinn said. " ... But as a best practice, we go above and beyond those requirements.”
The utility serves about 45,000 customers.
Quinn and Adair described a network of industry reporting groups that operate and share information akin to the Centers for Disease Control. They report intrusions or curious pfishing schemes aimed at potentially tricking an unknowing employee into placing damaging malware into a system.
Quinn also noted the complexity of the virus in the alert, which was tailored to the unique weaknesses of the Ukrainian utility’s system. If deployed here, she said, that exact malware would not work.
But government officials are not worried about one cookie-cutter virus, they’re worried about the increasing sophistication of hackers and their ability to target individual power systems.
The recent alert underscores findings in the January 2017 government report on issues facing U.S. electrical grids compiled by the Quadrennial Energy Review Task Force. That federal body includes the departments of Energy and Homeland Security, and the Army Corps of Engineers.
“The electricity system faces a range of growing threats to its reliability and security,” the report stated in part.
As hackers watch, and learn
Aside from natural disasters and aging infrastructure, a top concern is the existence of patient hackers willing to research systems to find key areas of vulnerability.
“Malicious cyber activity against the electrical system and its suppliers are growing in sophistication,” the task force report states. “The cyber attack on Ukraine’s regional electricity distribution companies in December 2015 serves as a warning.”
Around 225,000 customers lost power in that incident when three regional distribution companies were simultaneously attacked, disconnecting them from power substations. The attack took meticulous preparation and is thought to be political espionage.
The report said U.S. security officials are worried about the potential for attacks. That’s what the head of the U.S. Cyber Command and National Security Agency testified to the House Select Committee on Intelligence in 2014.
“There shouldn’t be any doubt in our minds that there are nation-states and groups that have the capability (to do that,) to enter into our systems … and to shut down … our ability to operate our basic infrastructure,” NSA chief Michael S. Rogers testified.
A network of small devices
Another tool for attacking power grids was cited in the task force report — an attack utilizing many infected devices that was turned loose in October 2016, the “Mirai botnet” attack. That denial of service attack attempted to clog and bring down multiple online targets.
One new wrinkle for cybersecurity forces is the use by hackers of devices that can range from a heart monitor to the sensor on a car, or, as one online source describes it, anything that can be assigned an IP address.
Techtarget.com defines the Internet of Things (IoT) as “a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”
The task force report cites these devices as a complicating factor.
“Attacks against the internet systems that support the U.S. power grid, like the Mirai botnet attack, are of particular concern,” the report stated. “ ... With the rapid deployment of IoT devices worldwide, including smart printers, home routers, monitors, cameras and thousands of others, the opportunity for hackers to disrupt flows of electricity is growing significantly,” the report stated.
New malware may be a “test”
The Associated Press reported earlier this month that the malicious software can remotely sabotage circuit breakers, switches and protection relays, a very bad outcome for power providers and their customers.
A report published in early June blames the software for a brief blackout in the Ukraine late last year and warns that the threat is worldwide.
"The potential impact of malware like this is huge," Robert Lipovsky, a researcher who helped create the report for Slovakian anti-virus firm ESET, told AP. "It's not restricted to Ukraine. The industrial hardware that the malware communicates with is used in critical infrastructure worldwide."
AP reports that in 2010, researchers discovered Stuxnet, a groundbreaking piece of malware apparently designed to sabotage Iran's nuclear program by sending its centrifuge machines spinning out of control.
Last year's power outage appears to have been a sequel to Stuxnet. Ukrainian officials have already described the Dec. 17, 2016, outage at transmission facility outside Kiev, the capital city, as a cyberattack. The report drawn up by ESET and Dragos, Inc. — a Maryland-based firm that specializes in industrial cybersecurity — adds technical details, saying that the malware was designed to communicate directly with industrial control systems, flipping circuit breakers on and off with a string of code before mass-deleting data in a bid to cover its tracks.
The level of sophistication need to write code for the generally obscure industrial controllers that operate the world's electrical grids suggests a group of hackers well-versed in the field and with the resources to test their creations in the lab, the report said.
Lipovksy declined to be drawn on who might be behind the malware, although Ukrainian officials have in the past laid the blame for such intrusions on Russia.
Ukrainian officials didn't immediately return a message seeking comment on the report.
Despite the malware's sophistication, the 2016 incident had relatively little impact.
"Maybe it was a test," said Lipovsky, before adding that that was no reason not to take the malware seriously.
"This could affect hundreds of thousands of people," he said.
Associated Press Cybersecurity Writer Raphael Satter contributed the last seven paragraphs of this report.
“We’re among the more regulated bodies when it comes to cybersecurity...
But as a best practice we go above and beyond those requirements"
Regulatory Compliance Manager Linda Jacobson Quinn, Farmington Electric Utility System