“A green energy policy means you're going to have a lot of energy resources, a lot of renewables. We haven't really fully thought through what the cyber risk of that means to our national security,” says Lee, chief executive and founder of Dragos, a cybersecurity firm specializing in critical infrastructure. The committee is working on recommendations for how to get ahead of those concerns, he says.
The threat isn’t hypothetical. Iranian hackers have been probing American electric utilities and oil and gas firms for vulnerabilities, Dragos said in January. Hackers have unleashed more devastating consequences elsewhere. Last year the United States charged six Russian intelligence officers in connection with a 2015 cyberattack that disrupted Ukraine's power grid — the first known cyberattack to cause a power outage.
Congress is taking notice. Just this summer, a bipartisan congressional commission identified an attack on the U.S. electric grid as one of several potential cyberattacks that could cause a national emergency.
Electric and gas companies are also grappling with the issue, especially as remote work spurred by the coronavirus creates more opportunities for attacks. Dragos itself announced today a new $110 million round of funding, co-led by National Grid Partners and Koch Disruptive Technologies, the largest round of funding raised for a company focused on cybersecurity for industrial control systems and operational technology.
I spoke with Lee about the need for global grid resilience, how coronavirus has changed the threat landscape and what the government can learn from the private sector. Here's our conversation, edited for length and clarity.
Cybersecurity 202: A big part of your new investment is expanding your international business. Why the focus on global scale?
Lee: When you talk about the large industrials, not just electric providers, but manufacturers of oil and gas, rail, etc., most of them don't view themselves as an American company. These are global companies.
There are plenty of electric companies that are pretty local and take care of your state or your infrastructure. For them, the big value of an international partner is understanding, “What are the threats doing other places and how can we learn from that?”
The concept here is, “I don't want everybody to get punched in the face to learn a lesson.” We want to observe one person get punched in the face. And as a community, we all go, “Okay, here's how you dodge that punch.”
What will the threat landscape look like for electric companies in 2021?
Every single year we get more threats. But we don't see this kind of massive shifts in the landscape too often. And one of the things we are seeing that is a massive shift for these organizations is this concept of the digital transformation.
What covid did is it started showing people that they could get hyper-connectivity down to the plants. You have people working and you can have people operating the plants remotely, et cetera. That's increasing the attack surface.
At the same time, we have ICS-specific threats. Today, we're tracking 14 different state teams that explicitly target industrial control systems. That's unheard of in comparison to even just five years ago.
Why have industrial systems and the electric grid become such a popular target for hackers?
From an adversary perspective, sure, there's political motivations and geopolitical and the kind of policy-focused stuff. But if you're looking at any of these companies, there's a ton of intellectual property.
And that intellectual property is ripe for theft out of those environments. So we see a ton of espionage focused-type activity to all these companies. And again, I'll say it's not that it's all new. It's that we weren't even realizing this was taking place. And as we started getting in these environments and getting visibility and monitoring, it became abundantly clear that more people are victims than they realized.
You were recently named vice chair of the Energy Department's Grid Resilience for National Security (GRNS) subcommittee. What are some of the issues you're working on?
The government has a tendency to talk at industry instead of talking with industry. Our work is looking at the partnerships and going, “Okay, let's stop talking at industry.” How can we use a subcommittee of experts from industry to partner with these power companies and figure out what they need out of the deal and how we can get to it together?
The other issue we're looking at is the digital transformation of our energy portfolio, the same kind of themes of what are we doing for the next generation of our electric infrastructure.
And the second thing we're looking at is specifically around black start capability. As you look at national security, it's not just in preventing attacks, but it's understanding how to get back up and going if an attack occurs. And if you can minimize the impact of the attack, it actually doesn't benefit the adversary as much to even conduct the attack.
If you look back at 2015 attack in Ukraine when they had electric outages and how to get back up and going, it seems like it might be easier than it is. But it's extraordinarily difficult and different when you talk about the United States, which is much larger and regional. We have a completely different approach to our electric infrastructure and workforce development and level of automation similar, which just adds a lot of complexity.
The House is poised to pass the annual defense authorization bill today.
Republican lawmakers are hoping to make a strong showing in an effort to dissuade Trump from vetoing the $741 billion in funding, Karoun Demirjian reports.
“The stronger the vote, the less chance of having to deal with a veto later,” Rep. Mac Thornberry (R-Tex.), the top Republican on the House Armed Services Committee, told reporters Monday.
Trump promised to veto the billion-dollar annual defense policy bill if it doesn't include a repeal of a key legal shield for the tech industry. The veto could also hold up significant funding for cybersecurity.
The House and Senate both passed versions of the defense bill in a veto-proof majority over the summer, a feat both chambers could repeat. But Trump could still complicate their efforts by refusing to sign the bill before Congress ends its session.
A new text-messaging system to provide real-time warnings about covid vaccine side effects could be vulnerable to bad actors.
The tool is raising alarm among some health-care providers and public health workers, Lena H. Sun and Isaac Stanley-Becker report. Safeguards are in place to prevent malicious actors from using the tool to spread false information, but fake reports could eat up time investigating real ones, two federal officials told Lena and Isaac.
The system will be shared with early-vaccine recipients so that they can report systems for monitoring. But the system could be accessed by anyone with the QR code given to patients. Bad actors could then use the system to spread fake reports.
“With any widely available technology, there’s an opportunity for people to use spoofing and other nefarious techniques,” said Ed Simcox, who left his post as chief technology officer at the Department of Health and Human Services in February. “That would undermine what is so potentially valuable about this system — going directly to patients, or citizens, to get their feedback about multiple vaccines administered in diverse settings.”
The platform “is in the final stage of development, which includes security testing,” the Centers for Disease Control said in a statement.
Trump asked Pennsylvania's House speaker to help overturn Biden's win in the state.
The calls from Trump make Pennsylvania the third state where Trump has personally interceded in an effort to reverse his loss, Amy Gardner, Josh Dawsey and Rachael Bade report. The president made baseless claims of voting irregularities on the call.
House Speaker Bryan Cutler told President Trump that the legislature had no power to overturn its electors, his spokesman said.
Yet Cutler is one of 60 Republican state lawmakers who urged Pennsylvania's members of Congress to reject the state's decision. The Trump campaign and the president's allies have lost numerous legal challenges in the state.
Russian hackers are going after VMware products, the National Security Agency warns.
The NSA urged organizations to apply a patch provided by the company on Saturday “as soon as possible,” Christopher Bing at Reuters reports. The weakness in the software could allow hackers to access the system commands remotely, leaving them free to steal or corrupt data. Hackers would need to gain a stolen password first, VMware said.
More cybersecurity news:
- The Atlantic Council will hold an event on the incoming U.S. administration and the future of supply chains in the Americas on Dec. 9 at 2 p.m.
Secure log off
Charles E. “Chuck” Yeager, a military test pilot who was the first person to fly faster than the speed of sound and live to tell about it, died Dec. 7. He was 97.