While these hackers haven't caused the kind of blackouts that the intelligence community is afraid of, many of them have stowed away data that would allow them to strike at will. The Department of Homeland Security has made it known that they're aware of attacks like this, but they've been fairly consistent in not doing anything about it.
And the Department of Homeland Security announced about a year ago that a separate hacking campaign, believed by some private firms to have Russian origins, had injected software with malware that allowed the attackers to spy on U.S. energy companies.
“You want to be stealth,” said Lillian Ablon, a cybersecurity expert at the RAND Corporation. “That's the ultimate power, because when you need to do something you are already in place.”
The hackers have gained access to an aging, outdated power system. Many of the substations and equipment that move power across the U.S. are decrepit and were never built with network security in mind; hooking the plants up to the Internet over the last decade has given hackers new backdoors in. Distant wind farms, home solar panels, smart meters and other networked devices must be remotely monitored and controlled, which opens up the broader system to fresh points of attack.
Hundreds of contractors sell software and equipment to energy companies, and attackers have successfully used those outside companies as a way to get inside networks tied to the grid.
Attributing attacks is notoriously tricky. Neither U.S. officials nor cybersecurity experts would or could say if the Islamic Republic of Iran was involved in the attack Wallace discovered involving Calpine Corp., a power producer with 82 plants operating in 18 states and Canada.
Private firms have alleged other recent hacks of networks and machinery tied to the U.S. power grid were carried out by teams from within Russia and China, some with governmental support.
Even the Islamic State group is trying to hack American power companies, a top Homeland Security official told industry executives in October.
Homeland Security spokesman SY Lee said that his agency is coordinating efforts to strengthen grid cybersecurity nationwide and to raise awareness about evolving threats to the electric sector through industry trainings and risk assessments. As Deputy Secretary Alejandro Mayorkas acknowledged in an interview, however, “we are not where we need to be” on cybersecurity.
That's partly because the grid is largely privately owned and has entire sections that fall outside federal regulation, which experts argue leaves the industry poorly defended against a growing universe of hackers seeking to access its networks.
As Deputy Energy Secretary Elizabeth Sherwood Randall said in a speech earlier this year, “If we don't protect the energy sector, we are putting every other sector of the economy in peril.”
THE CALPINE BREACH
The AP looked at the vulnerability of the energy grid as part of a yearlong, AP-Associated Press Media Editors examination of the state of the nation's infrastructure. AP conducted more than 120 interviews and examined dozens of sets of data, government reports and private analyses to gauge whether the industry is prepared to defend against cyberattacks.
The attack involving Calpine is particularly disturbing because the cyberspies grabbed so much, according to interviews and previously unreported documents.
Cybersecurity experts say the breach began at least as far back as August 2013, and could still be going on today.
Calpine spokesman Brett Kerr said the company's information was stolen from a contractor that does business with Calpine. He said the stolen diagrams and passwords were old — some diagrams dated to 2002 — and presented no threat, though some outside experts disagree.
Kerr would not say whether the configuration of the power plants' operations networks — also valuable information — remained the same as when the intrusion occurred, or whether it was possible the attackers still had a foothold.
According to the AP investigation, the hackers got:
—User names and passwords that could be used to connect remotely to Calpine's networks, which were being maintained by a data security company. Even if some of the information was outdated, experts say skilled hackers could have found a way to update the passwords and slip past firewalls to get into the operations network. Eventually, they say, the intruders could shut down generating stations, foul communications networks and possibly cause a blackout near the plants.
—Detailed engineering drawings of networks and power stations from New York to California — 71 in all — showing the precise location of devices that communicate with gas turbines, boilers and other crucial equipment attackers would need to hack specific plants.
—Additional diagrams showing how those local plants transmit information back to the company's virtual cloud, knowledge attackers could use to mask their activity. For example, one map shows how information flows from the Agnews power plant in San Jose, California, near the San Francisco 49ers football stadium, to the company headquarters in Houston.
Wallace first came across the breach while tracking a new strain of noxious software that had been used to steal student housing files at the University of California, Santa Barbara.
“I saw a mention in our logs that the attackers stored their malware in some FTP servers online,” said Wallace, who had recently joined the Irvine, Calif.-based cybersecurity firm Cylance, Inc., fresh out of college. “It wasn't even my job to look into it, but I just thought there had to be something more there.”
Wallace started digging. Soon, he found the FTP servers, typically used to transfer large numbers of files back and forth across the Internet, and the hackers' ill-gotten data — a tranche of more than 19,000 stolen files from thousands of computers across the world, including key documents from Calpine.
Before Wallace could dive into the files, his first priority was to track where the hackers would strike next — and try to stop them.
He started staying up nights, often jittery on Red Bull, to reverse-engineer malware. He waited to get pinged that the intruders were at it again.
Months later, Wallace got the alert: From Internet Protocol addresses in Tehran, the hackers had deployed TinyZbot, a Trojan horse-style of software that the attackers used to gain backdoor access to their targets, log their keystrokes and take screen shots of their information. The hacking group, he would find, included members in the Netherlands, Canada, and the United Kingdom.
The more he followed their trail, the more nervous Wallace got.
According to Cylance, the intruders had launched digital offensives that netted information about Pakistan International Airlines, the Mexican oil giant Pemex, the Israel Institute of Technology and Navy Marine Corps Intranet, a legacy network of the U.S. military. None of the four responded to AP's request for comment.
Then he discovered evidence of the attackers' most terrifying heist — a folder containing dozens of engineers' diagrams of the Calpine power plants.
According to multiple sources, the drawings contained user names and passwords that an intruder would need to break through a firewall separating Calpine's communications and operations networks, then move around in the network where the turbines are controlled. The schematics also displayed the locations of devices inside the plants' process control networks that receive information from power-generating equipment. With those details, experts say skilled hackers could have penetrated the operations network and eventually shut down generating stations, possibly causing a blackout.
Cylance researchers said the intruders stored their stolen goods on seven unencrypted FTP servers requiring no authentication to access details about Calpine's plants. Jumbled in the folders was code that could be used to spread malware to other companies without being traced back to the attackers' computers, as well as handcrafted software designed to mask that the Internet Protocol addresses they were using were in Iran.
Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks.
The full extent of the attacks on the grid and what damage they've caused isn't public knowledge. The Department of Justice says that the FBI doesn't actually keep any record of how often cyber attack cases are prosecuted. The lack of information is just as frightening as how vulnerable we are to these types of attacks. It almost makes you wonder if the government is hiding something.
The reality is that our power grid is completely vulnerable and our government is doing little about it. Watch this report by Fox's Judge Pirro on this threat that has the potential to kill 90% of the American population.