So.. was Vermont hacked or wasn’t it?
A December 31 story by the Washington Post, alleging that ‘Russian hackers had penetrated the US electric grid’ has been retracted in a highly publicised climbdown.
The original article drew charged comments from both the Vermont Governor, Peter Shumlin, as well as the Senator Patrick J. Leahy, with Gov. Shumlin decrying Vladimir Putin as ‘one of the world’s leading thugs’, and Sen. Leahy issuing a statement that proclaimed this move as “about trying to access utilities to potentially manipulate the grid and shut it down int he middle of winter”, which he said was “a direct threat to Vermont and we do not take it lightly”.
However, the article has since been corrected, with the following editor’s note:
“ An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.”
What actually happened?
After the 29th Dec release of the Department for Homeland Security (DHS) Joint Analysis report entitled “Grizzly Steppe – Russian Malicious Cyber Activity” (read it here), officials from the DHS, FBI and NCCIC circulated the malware signatures codenamed Grizzly Steppe to 16 industry sectors across the United States.
On scanning their computers, engineers at the utility found evidence of malware on a single employee’s laptop and immediately isolated it from the network. There is no evidence it was used to compromise the electric grid in any way.
Burlington Electric stressed that the computer was not connected to any critical grid systems and cannot yet discern a potential motive for the hack. The Burlington Electric Department is city-owned, and only serves about 19,600 customers.
The statement released by Burlington Electric General Manager, Neal F. Lunderville:
“We acted quickly to scan all computers in our system for the malware signature. We detected suspicious Internet traffic in a single Burlington Electric Department computer not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding. There is no indication that either our electric grid or customer information has been compromised. Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false. Cybersecurity is an issue that Burlington Electric and all U.S. utilities take very seriously. We focus every day to protect the integrity of the electric grid and the personal information of our valued customers. Federal officials have indicated that this specific type of Internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.”
Just like any other product, malware is openly traded across the Internet. The malware found on the Burlington Electric laptop was certainly Russian-made, and related to that used against the DNC earlier this year. However, to extrapolate further that ‘Russian hackers have attacked American infrastructure’ or that ‘the US power grid has been compromised’ is irresponsible scaremongering.
Regardless, the wider point that the corrected Washington Post article makes regarding critical infrastructure security is well-made. The best-known example of critical infrastructure cyberattack is still the attack on industrial control systems at the Prykarpattyaoblenergo Control Center in Western Ukraine, which overwrote firmware on devices at 16 substations and left 230,000 without power for up to six hours in December 2015. CEO of Country Risk Solutions, Daniel Wagner, commented at the time that in fact the Ukrainian control systems were ‘surprisingly more secure than some in the US, since they were well-segmented from control center business networks, with robust firewalls’.
Have your say – how do you think cyberattacks should be reported?