According to federal documents released to USA Today under a Freedom of Information Act request, systems at the Department of Energy were infiltrated by attackers more than 159 times between the years 2010 and 2014.
According to the report, there were 1,131 total attempted cyberattacks, and those 159 were only those that managed to get through.
According to the USA Today story, Records: Energy Department struck by cyber attacks, DOE officials would not disclose whether sensitive data was accessed or stolen, or if foreign governments are thought to have been involved in the attacks.
“The potential for an adversary to disrupt, shut down (power systems), or worse … is real here,” Scott White, Professor of Homeland Security and Security Management and Director of the Computing Security and Technology program at Drexel University, told USA Today. “It’s absolutely real,” White is quoted as saying.
It certainly is real: the DOE is the nation’s watchdog for the nuclear weapons arsenal and power grid.
It appears, according to the federal documents available for review, that the networks that were breached are the business and office networks, and not networks running critical infrastructure which should be, theoretically, air gapped.
The threat against the energy network is serious and potentially very costly. According to research conducted by Lloyd’s on what that insurer dubbed as “plausible” cyberattacks against the US power grid, such attacks would result in significant costs:
- The attackers are able to inflict physical damage on 50 generators that supply power to the electrical grid in the Northeastern USA, including New York City and Washington, DC.
- While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
- The total impact to the U.S. economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
- Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
- A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
Related, a lot more attention has been paid recently to the security of industrial control systems. Recently, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert regarding vulnerabilities within a software program that helps administrators manage SCADA systems by visualizing the automation environment. Some of the problems, which include locally exploitable flaws and local file inclusion issues, were first exposed during a presentation at the recent DEF CON security conference.
The attention to industrial control security has markedly increased in the past four years with 80% of all published ICS vulnerabilities occurring since 2011. That’s the year after the Stuxnet malware was discovered.
Also, Thursday of last week, experts warned the Subcommittee on Oversight and Subcommittee on Energy during a hearing that significant vulnerabilities remain in America’s power grid.
USA Today quoted rep. Don Beyer, D-Va. as stating that much has been done, but more needs to be done. “There are a number of new technologies, analytical tools, and operational measures that are being developed and tested to make the grid more resilient,” Beyer wrote to the Congressional watchdog agency. “But it is not clear how well these efforts will address the needs of power companies, utilities or governments or will be implemented by them.”