Amid ongoing cyberattacks on critical infrastructure in the United States and warnings of an imminent assault on the United Kingdom's power grid, a U.S. senator expressed frustration with U.S. Energy Secretary Rick Perry over perceived inaction by the Trump administration in assessing and responding to threats posed by Russian government-backed hackers.
U.S. Energy Secretary Rick Perry told a Senate panel that he thinks his department is conducting a cybersecurity risk assessment of energy systems after nearly a year of repeated calls from Democrats to do so.
A joint March 15 alert from the FBI and U.S. Department of Homeland Security blamed the Kremlin for a two-year-old hacking campaign to infiltrate and spy on the computer networks of U.S. government entities and critical infrastructure, including the power grid and the business and administrative networks of analog-controlled nuclear power plants.
"If the FBI and the Department of Homeland Security's recent admission is not a siren [for alarm], then I don't know what is," said Sen. Maria Cantwell, D.-Wash., at a March 20 hearing of the Senate Committee on Energy and Natural Resources.
Cantwell, the ranking committee member, pressed Perry on why the Trump administration has ignored repeated calls for nearly a year to conduct a thorough cybersecurity risk assessment of North American energy systems and an analysis of Russian hacking abilities.
"I think that [assessment] is going on as we speak," answered Perry, adding that three U.S. Department of Energy divisions, which focus on cybersecurity, continue to meet and coordinate strategy.
Cantwell and 19 other Democratic lawmakers first asked President Donald Trump in June 2017 to conduct the risk assessment after suspected Russian government-sponsored hackers deployed malware designed to target electric grids in a December 2016 attack on Kiev, Ukraine's capital. Known as CrashOverride, the malware disabled three electricity distribution sites, resulting in a blackout.
Perry told the senators that the DOE in February created the Office of Cybersecurity, Energy Security and Emergency Response, or CESER, in response to Russian cyberattacks over the past few years.
Cantwell also expressed concern that the Trump administration is only increasing DOE funding for cybersecurity by 10% and is under-funding CESER at an initial proposed budget of $96 million for fiscal year 2019. Perry responded that the DOE is proposing to spend money elsewhere that will benefit cybersecurity, including to boost research and development funding for supercomputers by 31%. "Our ability to be able to manage massive amounts of data is going to be ... tantamount to our success in combating the cyberattacks," he said.
In response to the FBI cybersecurity alert, the grid reliability organization the North American Electric Reliability Corporation affirmed in an email that no threats have been reported that could disable the bulk power system. Kevin McIntyre, chairman of the Federal Energy Regulatory Commission, said in a March 16 post on Twitter that the regulatory agency "will continue to be vigilant to ensure our electrical grid remains reliable and resilient."
Control system security consultant Ralph Langner, who helped crack the code of the Stuxnet computer virus, which sabotaged Iran's nuclear program, cautioned on Twitter that it would take an average industrial facility "approximately five years to arrive at a meaningful cybersecurity posture — if they started tomorrow. Let's hope those Russians are not in a rush."
Vigilance across the pond
"Make no mistake, Russia is preparing for a cyber attack on our critical infrastructure," tweeted former U.S. deputy assistant secretary of defense Michael Carpenter, who now serves as senior director of the Penn Biden Center at the University of Pennsylvania. "They've been preparing for decades ... We (or our allies) could be next."
As reported by The Times, the U.K. government has alerted its power grid operator National Grid plc, the Sellafield nuclear fuel reprocessing and nuclear decommissioning site, utilities, hospitals and government agencies that they could face denial-of-service attacks to shut down their websites and attempt to steal information. The alert from the United Kingdom's National Cyber Security Centre comes on the heels of new Western sanctions against Russia following the attempted assassination of a former Russian military intelligence operative and his daughter with a nerve agent in Salisbury, England, on March 4.
Ciaran Martin, head of the National Cyber Security Centre, warned in January that "it is a matter of when, not if," Britain and Northern Ireland are hit with a "category one" cyberattack that results in the loss of life or the disruption of critical systems, including a widespread and sustained power outage. British institutions have so far been focused on cyberdefense, but Conservative Prime Minister Theresa May has indicated she has not ruled out going on the offensive by launching a cyberattack against Russia.