DES MOINES — In February, as Russian troops massed on Ukraine’s border, executives with a major energy firm here worked with U.S. energy and homeland security officials to draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia.
U.S. government and energy firms close ranks, fearing Russian cyberattacks
The Ukraine war has put them on high alert
With President Biden warning last month of evolving intelligence that Russia is exploring possible cyberattacks against American critical industries, companies such as Berkshire Hathaway Energy and the U.S. government are on high alert. After years of what critics saw as lip service, cybersecurity collaboration between the federal government and some critical industries has taken root, officials and industry leaders say, and it could be put to the test as Russian government hackers probe the defenses of American power plants, banks and telecommunications networks.
“The collaboration between government and the private sector has seen exponential improvement over the last couple of years,” said Bill Fehrman, president and chief executive of Berkshire Hathaway Energy (BHE), which provides electricity generated by wind, solar, natural gas and coal to 12 million customers in the United States, Canada and Britain. “The main benefit,” he said, “is the more efficient transfer of information from the front line — the companies — to the government, and getting usable information back from the government in a timely manner.”
In particular, he said, the declassification of information from the government “has gone from months to in some cases hours.”
BHE is so large — one of the biggest electricity companies in North America by number of customers — that if its systems were disrupted by a Russian cyberattack, officials say, the impact on Americans’ lives would be substantial. At the same time, they say, practices such as those adopted by BHE, whose CEO chairs the electricity sector group that coordinates with the federal government, can serve as a model for the industry.
As a chill wind whipped off the farm fields an hour northwest of Des Moines, the warmth from a 10,000-horsepower engine and the smell of oil filled a compressor room. The engine, chugging so loudly workers wear earplugs, powers pistons that compress natural gas. The compressor station in Ogden is one stop along the 13,000-mile-long Northern Natural Gas pipeline, which is part of BHE and studded with similar stations every 60 miles or so. The compressed gas is fed from one station to another in relay fashion, serving homes, hospitals and power plants from Bakersfield, Tex., to Michigan’s Upper Peninsula.
There has never been a cyberattack on any industrial control system within BHE and its 11 subsidiaries. That is because of strict security measures imposed over the past eight years, said Chief Security Officer Michael Ball. No operational network is connected to the Internet, and third-party vendors coming in to do maintenance follow stringent rules, including a ban on plugging any outside hardware into the system.
But although its industrial control or operational technology (OT) systems are not connected to the Internet, the company still has to ensure that traffic flowing within its systems is not contaminated by malware.
In a campaign launched by the White House a year ago to boost the cyberdefenses of critical sectors, BHE deployed sensor software in its OT networks to look for malicious activity and vulnerabilities. The software it chose, developed by a company called Dragos, detects suspicious traffic from nation-state actors. It also anonymizes the data and makes it available to analysts at the National Security Agency, the Energy Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“We have confirmed foreign states are active in their targeting of U.S. energy industrial control systems,” said Robert M. Lee, CEO of Dragos, whose software allows the government to send queries to the companies to see whether they have detected the presence of certain adversaries.
By the end of the first 100-day campaign, which focused on electricity companies, almost 60 percent of electricity customers in the United States were covered by companies that had or pledged to have commercial cyberthreat sensors on their OT networks, said Fehrman, who coordinated the effort across the sector.
Work with the natural gas sector followed, and in January an effort for the water sector began.
“If power is disrupted, or if oil and gas is disrupted, or if clean water is disrupted, that really affects Americans’ lives,” said Anne Neuberger, deputy U.S. national security adviser for cyber and emerging technology. “The collaboration between companies and with the government, the deployment of commercial sensors, the deepened information-sharing has been an important contribution to the sectors’ resilience,” she said.
Though Biden’s warning last month was based on intelligence gathered by the U.S. government, the sensors were helpful for additional insight, U.S. officials said.
Five years ago, Russian government hackers penetrated the OT systems of some American electricity companies, but the intrusions were not detected immediately. It took some companies months to realize they had been infiltrated. The sensors should cut that time drastically, U.S. and company officials said.
Last year, Russian criminals carried off a ransomware attack on Colonial Pipeline, snarling up the company’s administrative computer network. Out of fear that the malware might spread to the OT system, the company shut down its fuel pipeline for five days, prompting panic-buying at gas stations on the East Coast and raising concerns that Russia might target other critical companies.
The abundance of targets in American industry prompted CISA to issue a call in February to companies to harden their cyberdefenses in a campaign the agency dubbed “Shields Up.”
On a recent day, a senior threat intelligence analyst at BHE’s global security operations center pulled up a dashboard on a large screen on a wall, displaying some 3,000 Russian “indicators of compromise,” or IP addresses and other digital clues that had been tied to cyberattacks on Ukraine government systems since January. The IOCs, as they are called, came from the DHS; the Canadian Center for Cyber Security, a government agency; and the Energy Department; as well as an industry information-sharing collective and private threat intelligence companies.
In years past, companies might get this sort of data, but by the time it got to them, “chances are really good I already knew about it,” BHE’s Ball said. “Now it’s flipped, and we’re seeing stuff faster, more of the stuff we haven’t already heard about.”
And, more importantly, company executives say, the quality of some of that information has improved.
“We have been getting ‘actionable intelligence’ — extremely helpful feedback that we can implement,” Fehrman said. That is intelligence obtained through U.S. government penetration of adversaries’ systems overseas and enhanced with more information that, for instance, tells companies what threat is really significant, what techniques the hackers are using, what machines they are targeting — sometimes down to make and model — and what defensive actions should be taken as a result.
A major milestone in facilitating some of the cooperation driven by the Ukraine crisis was a congressional mandate that CISA set up a 24/7 center for the real-time sharing of threat information that includes personnel from key industrial sectors as well as from the FBI, the DHS, the NSA and the Energy and Treasury departments. The result was the launch last summer of what CISA Director Jen Easterly named the Joint Cyber Defense Collaborative.
The JCDC has “created a beachhead,” said Tom Fanning, CEO of the energy giant Southern and a member of the Cyberspace Solarium Commission, which recommended the formation of the collaborative. “As we mature the process, it will get better and better and better.”
A major spoke off the JCDC information-sharing hub is the Energy Department’s Energy Threat Analysis Center, created in January to enable companies and the government to jointly analyze threats and develop measures to deal with them.
It will also feed that information back to the JCDC. “If we’re seeing a threat to an energy industrial control system, we certainly want to make sure that information gets out to other sectors like water and chemical, [which] have similar systems,” said Puesh Kumar, director of the department’s Office of Cybersecurity, Energy Security and Emergency Response.
In February, the White House put CISA Executive Director Brandon Wales in charge of an effort to ensure the government can handle a cyberattack from the Russians, including any resulting physical consequences in the public or private sectors.
“On the whole we are more prepared now than ever before,” Wales said.
“Russian malicious cyber actors have posed a high threat to the U.S. government and the critical infrastructure since before the invasion of Ukraine,” he said, “and they will present a threat after this current crisis is resolved.”