Threat of Russian cyberattack prompts energy firms to collaborate with U.S. government

The cables meet at the entrance point of the table inside the control room at the Greater Des Moines Energy Center in Pleasant Hill, Iowa, on March 29. (KC McGinnis for The Washington Post)

The war in Ukraine put them on high alert

DES MOINES – In February, as Russian troops piled up on Ukraine’s border, executives at a major energy company worked with U.S. energy and home security officials to draft a handbook and help prepare the electricity sector to deal with potential Russian cyber attacks.

Berkshire Hathaway Energy officials were among a small group that wrote the guidelines, emphasizing the importance of quickly sharing information about cyber attacks between industry and government.

As President Biden warned last month of intelligence developments that Russia is investigating possible cyber attacks on U.S. critical industries, companies such as Berkshire Hathaway Energy and the U.S. government are on alert. After years of what critics saw as claims, cybersecurity co-operation between the federal government and some critical industries has revived, officials and industry leaders say, and could be put to the test as Russian government hackers question the defense of US power plants, banks and telecoms. .

Biden warns US companies to protect themselves from Russian cyber attacks

“Cooperation between government and the private sector has improved exponentially in recent years,” said Bill Fehrman, president and CEO of Berkshire Hathaway Energy (BHE), which provides 12 million dollars worth of electricity from wind, solar, natural gas and coal. customers in the United States, Canada and the United Kingdom. “The main advantage,” he said, “is more efficient transfer of information from the front line – the company – to the government, and timely receipt of useful information from the government.”

In particular, he said, the declassification of information from the government “took months to hours in some cases”.

Berkshire Hathaway Energy is so large – one of the largest electricity generation companies in North America in terms of customers – that officials say its systems have been disrupted by a Russian cyber attack, and the impact on American lives has been significant. At the same time, they say, practices such as those adopted by BHE, whose executive director chairs a group for the electricity sector that coordinates with the federal government, can serve as a model for the industry.

As a cold wind blew from the farm fields an hour northwest of Des Moines, the 10,000-horsepower engine heat and the smell of oil filled the compressor room. The engine, which blows so loudly, workers wear earplugs, drives pistons that compress natural gas. The Ogden compressor station is a single station along a 13,000-mile-long northern natural gas pipeline, which is part of the BHE and full of similar stations every 60 miles or so. Compressed gas is supplied from one station to another by relay mode, serving homes, hospitals and power plants from Bakersfield, Texas, to the upper Michigan Peninsula.

Russian government hackers have penetrated the business networks of the American energy and nuclear energy

There have never been cyber attacks on any industrial control system within BHE and its 11 branches. This is due to the strict security measures introduced over the past eight years, said Chief Security Officer Michael Ball. No operating network is connected to the Internet, and third-party vendors who come for maintenance follow strict rules, including a ban on including any external hardware in the system.

But even though its industrial control or operational technology (OT) systems are not connected to the Internet, the company still needs to ensure that traffic flowing within its systems is not contaminated with malware.

In a campaign launched by the White House a year ago to strengthen cyber defense of critical sectors, Berkshire Hathaway Energy has implemented sensor software in its OT networks to look for malicious activity and vulnerabilities. The software, which was chosen by the company and developed by the company Dragos, reveals the suspicious turnover of actors from nation states. It also anonymizes the data and makes it available to analysts at the National Security Agency, the Energy Department, and the Cyber ​​Security and Infrastructure Security Agency of the Homeland Security Department. [CISA].

“We have confirmed that foreign countries are active in their targeting of US energy industry control systems,” said Robert M. Lee, CEO of Dragos, whose software allows the government to send inquiries to companies to see if they have detected the presence of certain opponents.

By the end of the first 100-day campaign, which focused on power generation companies, nearly 60 percent of U.S. electricity buyers were covered by companies that had or pledged to have commercial cyber threat sensors on their OT networks, he said. is Fehrman, who coordinated efforts across the sector.

This was followed by work with the natural gas sector, and in January work began in the water sector.

“If there is a power outage, or if there is an oil and gas disruption, or if there is a disruption to clean water, it really affects the lives of Americans,” said Anne Neuberger, deputy national security adviser for cyber and new technologies. “Cooperation between companies and government, the installation of commercial sensors, in-depth information exchange is an important contribution to the resilience of the sector,” she said.

Although Biden’s warning last month was based on intelligence gathered by the US government, the sensors were helpful for further insight, U.S. officials said.

Five years ago, Russian government hackers broke into the OT systems of some American power companies, but the intrusions were not immediately detected. It took some companies months to realize they were infiltrated. Sensors should drastically shorten that time, U.S. and company officials said.

Last year, Russian criminals ransom the Colonial Pipeline, hijacking the company’s administrative computer network. Fearing that the malware could spread to the OT system, the company closed its fuel line for five days, sparking mass panic at East Coast gas stations and raising concerns that Russia could target other critical companies.

New emergency cyber regulations for pipelines are provoking various criticisms

The abundance of targets in the American industry led CISA to call on companies in February to strengthen their cyber defense in a campaign that the agency called “Shields Up”.

Recently, a senior intelligence analyst on threats at BHE’s global security operations center erected a dashboard on a large screen on the wall, displaying some 3,000 Russian “compromise indicators” or IP addresses and other digital clues linked to cyber attacks on government systems of Ukraine since January. The IOCs, as they are called, came from DHS, the Canadian Center for Cyber ​​Security, government agencies and the Department of Energy, as well as from industrial companies that share information on collective and private intelligence on threats.

In years past, companies could have gotten this kind of data, but by the time they got it, “the chances are really good that I already knew about it,” Ball said. “It’s reversed now and we see things faster, more things we haven’t heard of yet.”

And, more importantly, the company’s executives say, the quality of some of that information has improved.

“We have received ‘effective intelligence’ – extremely useful feedback that we can implement,” Fehrman said. These are intelligence obtained by the US government’s breakthrough into adversary systems abroad, and enhanced with more information that, for example, tells companies which threat is really significant, which techniques hackers use, which machines they target – sometimes for production and model – and which defensive actions should be taken as a result.

A major milestone in enabling some of the cooperation fueled by the crisis in Ukraine was a congressional mandate that CISA set up a 24-hour center to share real-time threat information that includes staff from key industry sectors as well as the FBI, DHS, NSA, energy and treasury departments, among others. The result was the launch last summer of what CISA Director Jen Easterly called Joint Cyber ​​Defense Cooperation.

The JCDC has “created a plateau,” said Tom Fanning, executive director of energy giant Southern Company and a member of the Solarium Commission, which recommended the formation of the Collaborative. “As we mature the process, it will get better and better and better.”

One of the main participants in the JCDC Information Exchange Center is the Energy Threat Analysis Center of the Ministry of Energy, which was established in January to enable companies and the government to jointly analyze threats and develop measures to address them.

It will also return this information to the JCDC. “If we see a threat to the energy system of industrial control, we certainly want to ensure that information reaches other sectors such as water and chemicals,” [which] they have similar systems, ”said Puesh Kumar, director of the Office of Cyber ​​Security, Energy Security and Emergency Response.

In February, the White House appointed CISA Executive Director Brandon Wales to work to ensure the government could deal with a Russian cyber attack, including any physical consequences arising in the public or private sector.

Biden’s executive order aims to strengthen the federal cyber defense

“Overall, we are more prepared now than ever before,” Wales said.

“Russian malicious cyber actors have posed a major threat to the US government and critical infrastructure since before the invasion of Ukraine,” he said, “and they will pose a threat once this current crisis is resolved.