Yesterday, we talked about the Ukraine and DNC hacks.  And, that Israel has strong programs to combat cyberattacks..  Today, we’ll find that US universities are missing the boat- and our electric grid (power transmission in the US) is at tremendous risk, among other critical infrastructure components.

US universities have still not reacted to our desperate need for cyber technology specialists.   Not one of the top 10 computer science programs has a required cybersecurity course- and 3 of them have no offerings at all in the area.  (The University of Michigan- #36- does have that requirement.  In the Commonwealth of Virginia, George Mason University has a cyber degree program, as does Virginia Tech.)

So, the recent news that someone has hacked into a Vermont electric utility (Burlington Electric) should not come as a surprise.   It was initially thought to be the Russians, using their “famed” (or is that infamous) Grizzly Steppe attack.  But, on further examination, it was found to be a Neutrino attack.  (This attack affords a ransomware exploit on the user’s systems. )

Moreover, Burlington Electric avers that it was only one of its laptops- not the grid itself, that was attacked.   I, for one, doubt that this was the only target at Burlington (especially since the US grid has ZERO provisions against hacking, relying on simple, commercially available code for its interaction and control).

US officials admit that this attack could either have been a test to see how easily the grid could be hacked – or the first step in utility disruption.  (By the way, Burlington has no clue when the incursion first occurred- which also means they have no idea what was compromised!)

In the last seven years or so, malicious software attacks against the US power grid have been launched by China, Russia, and a few other “wonderful” countries.   The “BlackEnergy” malware that hit the Ukraine has already been found in the software that control the US’ power grid (electric turbines, in particular).

It’s obvious how these systems have been breached.  Because one (or more) dingbat employees opened a fraudulent eMail.  Exactly how so many hospital systems have succumbed to paying ransomware because of their “intelligent”  (sic) staffers. There have at least 15 hospitals that suffered shutdowns due to ransomware.   Oh, wait- that’s only during CY 2016.  Luckily, the ransom wasn’t elaborate.  Let’s also recall the creative hack that allowed passengers using the San Francisco Municipal Transportation Agency (SFMTA) to travel for free for a day or so.

The FBI has reported that ransomware has sucked $ 1 billion in payments from various entities during 2016.

But, since we are officially talking about our electric grid, let’s consider the Lansing Board of Water and Light.  Which just paid ransom to get its system back under their control.  (Yup.  You guessed it.  An employee opened an offending eMail.)  Lansing BWL utility paid the price, because that was cheaper than replacing what was locked down.  And, the real fix- scrubbing all their systems- increased that $ 25000 bitcoin payment to some $ 2.4 million!

We’ve all been told that every power company has its business side not connected to its operational side of their networks.  (This means there is a so-called “air-gap”.)  But, security experts are realizing that this claim is simply a pile of manure.   After all, it only takes a keystroke logger to steal the credentials from the business side to obtain control of  the industrial control systems (the equipment that controls our power grids).

And, those supposedly new cybersecurity standards adopted in July?  Consider one Israeli cyberexpert’s analysis.  “Compliance is a set of rules, written down so people act according to policies.  But- that doesn’t mean your assets are protected.”

Got your batteries ready?

Share this: