What keeps America’s top spy up at night cannot be patched or updated.
The Director of National Intelligence Dan Coats has said America’s infrastructure is “literally under attack” every day by foreign actors, but officials who operate a piece of that infrastructure, the electric grid, say the largest susceptibility stems from workers themselves.
“We firmly believe that any significant impact to our operations will come from some form of an insider” whether it is malicious or being unwittingly taken advantage of, said Joe Sagona, the senior director for cybersecurity at Pacific Gas & Electric, during a June 13 event.
That such a susceptibility is most likely to come from the one piece of America’s electric grid that does not run on ones and zeros is an alarming reality for an industry that has spent billions on cybersecurity.
In a series of webinars, the Department of Homeland Security and the Federal Bureau of Investigation is warning that the Russian government is conducting cyberattacks against an array of sectors that include energy, nuclear, water, aviation and critical manufacturing.
“The warning lights are blinking red," Coats said during a July 13 event at the Hudson Institute. "Think about New England in January, the grid going down for three days. A lot of people are going to suffer and die.”
Experts and reports tell a story of how Russian hackers have preyed on electric employees as a point of entry for their cyberattacks.
The “Dragonfly” group began attacking American and European energy companies in 2011, according to Symantec, a threat intelligence firm.
But the group went dark in around 2014. It was not for good. The quiet period was simply a lull before a comeback.
“They retooled,” said Jon DiMaggio, a senior threat intelligence analyst at Symantec. “Dragonfly” became “Dragonfly 2.0.” But DiMaggio said the group has shifted its focus to the U.S. and “became much closer to reaching the operational side," of the electric grid.
The Department of Homeland Security warns that each spearfishing email has “referred to control systems,” hoping to trick employees with technical language. Other hacks were launched by “Microsoft Word attachments that appeared to be legitimate résumés."
For the energy sector, the alleged Russian attacks come after nearly a decade of preparation.
Energy companies first took cyber vulnerabilities seriously around 2010, according to Scott Aaronson, head of security preparedness at the Edison Electric Institute. He added the industry has created threat sharing groups for cyberattacks and has built other technical defenses.
“Thirty companies representing 70 percent of electricity customers are on the CRISP network, which monitors network traffic and compares it to potential threat indicators,” Aaronson said.
But Russian attacks on the electric grid come at a moment of uncertainty in Moscow’s foreign policy.
"Geopolitics matters,” Aaronson said. “There is not a lot of doctrine around cyberattacks on civilian infrastructure. I think there needs to be some rules of the road.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.