Analysis | The Cybersecurity 202: Here’s how Biden’s infrastructure package could address electric grid cybersecurity

“Any infrastructure bill that doesn’t include serious money for grid improvements and grid resilience will miss the objective of a resilient economy because the grid will remain vulnerable,” says Jim Cunningham, executive director of Protect Our Power, a nonprofit focused on grid security.

Cunningham said public power and municipal utilities are particularly under-resourced when it comes to making grid improvements and would benefit from infrastructure funding in the form of grants or loans to make costly improvements. Funds to states and regional grid organizations to hire new talent to better regulate and address the issue would also help improve grid security, Cunningham said.

Lawmakers and experts have long warned that cyberthreats to the grid could create wide-scale disruption and economic devastation. Fears of such an attack have grown since Russian hackers shut down Ukraine’s power grid in 2015, resulting in significant damage.

Although such a catastrophe has yet to occur in the United States, foreign hackers have gone after the United States’ electric grid before. The Department of Homeland Security and the FBI released a report in 2018 that Russian hackers were targeting the U.S. energy sector.

Concerns about foreign hackers have grown in light of two major supply-chain hacks that ensnared not just federal and local governments, but the energy industry as well. SolarWinds, a software breached by Russian hackers in a months-long campaign, is widely used in the power industry.

“Corporate networks weren’t designed to face off against nation state actors,” says Manny Cancel, chief executive officer of the Electricity Information Sharing and Analysis Center, which serves as a central cybersecurity resource for the industry. “It’s not a fair fight.”

The SolarWinds attack highlighted a long-standing concern about the lack of security standards for hardware and software used grid providers. While grid operators have to submit to strict federal regulations, owners and operators are responsible for vetting the cybersecurity of the equipment and software they use.

“I would say the biggest challenge that we have from a cybersecurity perspective on the grid is ensuring that technologies that are used are effectively secured before the asset owners are using them,” says Tobias Whitney, vice president of Fortress Information Security, which works with grid operators and vendors.

Sen. James E. Risch (R-Idaho) suggests that one key to addressing supply-chain issues with the grid is returning manufacturing of some parts back to the United States. 

“Supply issues are critical not just to this industry but all industries,” he says. “We’re way too dependent on other manufacturers that aren’t allies to us.”

Congress has already shown bipartisan enthusiasm for investing the domestic production of semiconductors, a technology key to the grid. Biden’s plan is expected to shore up even more funding for the semiconductor and other industries.

Republicans and progressive Democrats have already expressed opposition to elements of Biden’s package. Securing the grid, however, is an issue that has historically drawn strong bipartisan support. Risch expressed confidence that Congress would work together to address the issue.

“Everyone is committed to this issue,” he said. “I don’t think there’s an exact magic number but it’s certainly going to take resources and Congress to its credit has not been stingy in this regard.”

Energy Secretary Jennifer M. Granholm acknowledged earlier this month that “Biden’s clean energy goals all depend on resilient electrical infrastructure.” The agency has already taken steps to expand its cybersecurity efforts. Earlier this month the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response announced new research dedicated to supply-chain threats. 

Thousands of emails in the State Department’s Europe and Asia-Pacific bureaus were stolen by suspected Russian hackers last year, congressional sources told Politico’s Betsy Woodruff-Swan and Natasha Bertrand. It is not clear whether the attack is related to the cyberattack on SolarWinds and other software, which also compromised State Department systems and was blamed on Russia. 

It does not appear that classified systems were accessed in the breach. Politico did not report on the contents of the pilfered emails. 

“The Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected,” a State Department representative said in a statement. “For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” A Russian Embassy representative did not respond to a request for comment.

It’s the first known government contract for Anomaly 6, whose software has been embedded in hundreds of apps, allowing it to track users’ locations, Motherboard’s Joseph Cox reports. The contract came after reports that the Iowa Air National Guard and the U.S. military paid for access to a similar service, Locate X, raising concerns about military access to sensitive data.

“The purpose of the contract was to evaluate the technical feasibility of using Anomaly 6 telemetry services in an overseas operating environment,” U.S. Special Operations Command spokesman Tim Hawkins said. “The evaluation period has ended, and we are not currently executing the contract.”

A security professional working for Ubiquiti, which sells Internet-enabled devices such as cameras and routers, complained to a European data regulator that the company played down the breach, Brian Krebs reports. The company did not respond to requests for comment on the incident, which it had blamed on a “third-party cloud provider.” But the whistleblower said that the company was the real target of the breach, which hit Ubiquiti’s Amazon Web Services databases. 

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” they wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Medical professionals with genetics, oncology or neurology backgrounds were targeted in the cyberattack, researchers from Proofpoint said. Hackers used an email account masquerading as an Israeli nuclear physicist to lure their targets into logging on to fake websites. Proofpoint said the attacks were not successful.

The hacking group at the center of the attack specializes in targeting dissidents, government officials and journalists, but it is not clear whether the group’s shift to medical research is a long-term change, the researchers said.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, is underfunded and exhausted, Politico’s Eric Geller reports. The article immediately drew reactions on social media. Amélie E. Koran, the former chief technology officer at the Department of Health and Human Services’ inspector general: 

Kevin Beaumont, a senior threat intelligence analyst at Microsoft’s threat intelligence division:

The 10 signatories of the letter to top Biden administration officials lauded a bipartisan Senate bill that aims to counter Chinese emerging technology by creating an interagency office to coordinate with foreign allies. Former defense secretary Ash Carter, former director of national intelligence Jim Clapper and former NSA and CIA director Michael Hayden were among the signatories.

Akamai said hackers used the attacks to extort companies to pay up in exchange for stopping the onslaught of traffic. The company said that attackers have been more persistent this year and their attacks have become more targeted.

• Homeland Security Secretary Alejandro Mayorkas discusses cybersecurity at an RSA event today at 1 p.m.
• Former State Department cyber coordinator Chris Painter speaks at an event hosted by the Business Council on International Understanding on April 6 at 10 a.m.
• Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity subcommittee, speaks at an event hosted by the Cybersecurity Coalition on April 7 at 2:30 p.m.