Foreign adversaries continue to hone their cyber threat strategies against the North American bulk power system, cybersecurity experts told the Midwest Reliability Organization’s (MRO) Annual Member and Board of Directors Meeting on Thursday.

“The bad guys have not taken the pandemic off; they’ve seen it as an additional opportunity to exploit or do more harm to the sector,” said NERC Senior Vice President Manny Cancel, the CEO of the Electricity Information Sharing and Analysis Center (E-ISAC).

Cancel joined Joel Max, energy sector and control systems lead at the FBI’s Cyber Division, to brief MRO’s members and directors on the current threat landscape and the government’s efforts to help utilities fight back.

Iran Tensions Lead Immediate Concerns

According to Max, the most prominent state-backed cyber threats against the BPS continue to originate from Iran, Russia and China.

Iran seemed to loom large in the minds of several attendees at the meeting, who asked about the likelihood of threats originating from recent tensions between it and Israel, which is believed to have been behind the assassination of Iran’s top nuclear scientist Mohsen Fakhrizadeh on Nov. 27. Similar fears arose after the U.S. drone attack that killed Iran’s Maj. Gen. Qassem Soleimani on Jan. 2. (See Iran Cyber Threat Increasing, Experts Say.)

Max acknowledged that Iran is known to have the capability for “localized, temporary disruptive effects against corporate networks;”  the 2012 attack on Saudi Arabia’s national oil company Saudi Aramco is believed to have been carried out by hackers backed by Iran. Iran is also believed to have carried out damaging cyber operations within the U.S., targeting the tourism and financial services sectors, along with gaining access to the supervisory control and data acquisition system for the Bowman Avenue Dam in Rye, N.Y.

While Max assured attendees that “we don’t have any indication of [an] imminent [threat],” he reminded them that this is a “time of turbulence,” with both the ongoing COVID-19 pandemic and the transition to a new U.S. presidential administration creating distractions that adversaries may want to take advantage of. Entities must remain vigilant for any opportunistic actions, he said.

Spies and Saboteurs Probing Weaknesses

Like Iran, Russia’s cyber activities targeting the U.S. energy sector include both “reconnaissance [and] future attacks,” Max said. He reminded participants that Russian hackers have gained access to networks used by both large and small players in the energy sector, gaining success in recent years by finding weak links among vendors or service providers that have not put in the same level of effort as utilities themselves.

“The way you get to the bigger fish is by going through the smaller ones, who may not have the same resources or cybersecurity posture as your company,” he said, noting that even “a vendor that only supplies one piece of software [or] does some sort of maintenance on your system” could provide an entry for a determined and patient intruder.

China, too, appears to have built a highly successful clandestine operation for finding and exploiting weak points in supply chain networks. Unlike Iran and Russia, the nation’s intentions toward the U.S. grid seem primarily focused on industrial espionage rather than sabotage. Max listed renewable energy technology as a key focus for Chinese hackers, reflecting the renewable energy priorities laid out in the Chinese government’s 13th Five-Year Plan.

Feds Seek to Make Hackers Hurt

Max said the U.S. government is taking an active role in combating cyberattacks through a program of “imposing risk and consequence on the adversaries.” This approach includes actions against individuals, such as the indictment earlier this year of six Russian military intelligence officers for attacks against the Ukrainian power grid in 2015 and 2017. (See Six Russians Charged for Ukraine Cyberattacks.)

Max said sanctions against organizations can also be effective tools. In October, the Treasury Department announced economic sanctions against Russia’s “State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM).” The government-backed institution is believed to be behind the Triton malware that corrupted industrial control systems at a petrochemical facility in the Middle East in 2017 and was accused of targeting at least 20 electric utilities in the U.S. last year.

Chinese organizations believed to support the government’s cyberespionage campaigns have also been targeted. Most prominent among these is Huawei Technologies, indicted in New York in February for conspiring to steal trade secrets from U.S. companies. Huawei makes a wide range of technology products for both consumers and businesses and has been the target of several warnings and inquiries this year, including a Notice of Inquiry from FERC in September seeking information on the presence of Huawei’s equipment in the BPS. (See FERC Opens Supply Chain Cyber Risk Inquiry.)

“If we as the FBI can impose consequences on the adversaries, we’re hoping that that deters activity against you as U.S. companies, but also makes it more difficult [and costly] for an adversary … to undertake any sort of attack against your systems or your assets,” Max said.