The Hack That Wasn’t: What We Can Learn from the Recent Burlington Electric Incident
By Will McNamara, Director, Security, Risk & Resilience, Black & Veatch
Over the holidays, you may have heard of the national story reporting a cybersecurity breach into the electric system of Burlington Electric, which serves approximately 19,000 customers in Vermont. While the truth ultimately revealed this was a non-event, the panic that struck other utilities across the country was palpable.
What Really Happened?
Burlington Electric was not hacked. Information now available shows that a utility employee used a company laptop computer to access their personal email account. This activity triggered an alert indicating the laptop had connected to a suspicious IP address. Concluding that some of the Internet connections seemed to be linked to reported malicious cyber activity by the Russian Intelligence Service (RIS), Burlington Electric did exactly as it is required to do and informed federal authorities of the potential security breach on 30 December, 2016.
The link to RIS was a particularly hot and timely topic. Not even 24 hours before Burlington Electric notified authorities of the potential breach, the Department of Homeland Security and the Federal Bureau of Investigation issued its Joint Analysis Report (JAR) providing details of the tools and infrastructure used by the RIS to infiltrate networks associated with the recent U.S. election (read the full report). This was also the same day the Obama administration announced sanctions against nine individuals and organizations in Russia for hacking the Democratic National Committee and Democratic Congressional Campaign Committee.
Soon after Burlington Electric notified authorities, a reporter with The Washington Post received an anonymous tip that a malicious cyber-attack on the electric grid had occurred at an unnamed utility in Vermont. Hysteria briefly ensued, forcing Burlington Electric to issue a news release to correct public information.
Key Takeaways from the Event
Hacking is a real threat: There are many real examples that we can use to demonstrate the scope and severity of damage caused by hacking. Electric companies in Ukraine have experienced some of the most severe impacts from hacking, including outages in hundreds of cities due to a malware attack in 2015. In December 2016, a power distribution station near Kiev unexpectedly switched off, damaging 200 megawatts of capacity and creating power outages across the northern part of the capital city. Most importantly, hacks can come from anywhere, not just specific foreign entities.
Protecting utility networks is critical: Utility assets are highly distributed and increasingly connected. Building and enhancing your network architecture based on industry standards provides predictable and manageable surfaces to monitor and defend. It truly is the first line of defense against a cyber-attack (see previous post by my colleague, Mike Prescher, on the role of network architecture).
Vigilance and proactive, coordinated preparations are essential: Most power utilities are compliant with regulatory standards for protecting the bulk electric system. However, vulnerabilities exist beyond these regulations and a coordinated, multi-tiered security risk framework is essential for proactively mitigating risks across the entire utility enterprise.
The Burlington Electric incident illustrates an array of issues that utilities will continue to face in 2017. These issues include the need for continued investment to reduce risk and mitigate potential security threats, improved communications between utilities and the federal government, and the important realization that an attack can come from any place at any time.
Admiral Michael Rogers, National Security Agency and U.S. Cyber Command Chief, famously stated, “It’s not a matter of if, but when, attackers target U.S. power systems.” So, while the Burlington Electric incident was actually a non-incident, the point remains that vigilance and preparation is key to defending critical infrastructure.
Sign up to automatically receive Security Insights from Black & Veatch.