Attackers hacked Department of Energy 159 times in 4 years

The DOE was attacked 1,131 times in four years; attackers breached the DOE 159 times with 53 of those cyber attacks resulting in root compromises.

Lights on in US at night
Credit: NASA/GSFC

Cyberattackers successfully compromised U.S. Department of Energy computer systems 159 times over a span of 48 months.

After filing a Freedom of Information Act request, USA Today scored on the Energy Department’s Joint Cybersecurity Coordination Center report. Federal records revealed that between 2010 and 2014:

  • The DOE was attacked 1,131 times.
  • There were 159 successful cyber intrusions.
  • 53 of the 159 successful compromises “were ‘root compromises,’ meaning perpetrators gained administrative privileges to Energy Department computer systems.” It is unclear if those DOE computers were office PCs, or if the root compromises were on computers managing critical infrastructure. The DOE is not known for having good operational security habits; after the Inspector General audited the Energy Department last year, the report said 41 DOE servers and 14 workstations “were configured with default or easily guessed passwords.”
  • 90 of the 159 successful hacks “were connected to the DOE's Office of Science, which directs scientific research and is responsible for 10 of the nation's federal energy laboratories.”
  • Over the same 4-year period, “the National Nuclear Security Administration, a semi-autonomous agency within the Energy Department responsible for managing and securing the nation's nuclear weapons stockpile, experienced 19 successful attacks.”

“The potential for an adversary to disrupt, shut down (power systems), or worse … is real here,” stated Scott White, Drexel University Professor of Homeland Security and Security Management and Director of the Computing Security and Technology. “It's absolutely real.”

NSA Chief Admiral Michael Rogers, head of US Cyber Command, said nation states devote a lot of time trying to gain access to the US power grid and other critical infrastructure because those nation states want to have “options and capabilities.”

In a letter (pdf) to the Government Accountability Office, Rep. Don Beyer cited a USA Today investigative report that found 348 physical attacks and 14 cyberattacks had caused power outages between 2011 and 2014. USA Today previously reported that attacks on the power grid happened about once every four days. “More often than once a week, the physical and computerized security mechanisms intended to protect Americans from widespread power outages are affected by attacks, with less severe cyberattacks happening even more often.” Beyer asked the Government Accountability Office to review federal programs aimed at making the grid more resilient.

Although “the electric grid is one of the nation's 16 critical infrastructures,” it “is considered a ‘unique’ critical infrastructure because so many of the other sectors, such as emergency services, communications, water and wastewater systems, financial services, and transportation systems are dependent on uninterrupted access to electricity to operate effectively.” Rep. Beyer added, “When the electric grid goes down, all the other services it enables stop functioning.”

Threats to the power grid

Threats to the power grid come in many flavors besides cyberattacks as was pointed out when the House Committee on Science, Space and Technology held an oversight hearing to examine vulnerabilities of America’s power supply; it looked at threats to the national electric grid including physical threats, space weather, SCADA, EMP attacks and cybersecurity.

Daniel Baker, professor of planetary and space physics at the University of Colorado Boulder, testified that current technology only gives us a 45-minute heads-up before a solar flare. Electromagnetic energy released in a flare “could cause a disturbance resulting in widespread power blackouts that would disable everything that uses electricity.” He said, “The total economic impact of such an event has been estimate to exceed $2 trillion.”

Of course the Committee mentioned (pdf) cybersecurity. “As the electric grid continues to be modernized and become more interconnected, the threat of a potential cybersecurity breach significantly increases. While there has been no reported cyberattack that has resulted in widespread loss of power, there have been many attempted attacks.” In 2014, the NSA “had tracked intrusions into [industrial control] systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.”

Nadya Bartol, vice president of industry affairs and cybersecurity strategist for the Utilities Telecom Council, testified that legacy electric grid infrastructure “was not designed to be secured because security was not a concern when that infrastructure was implemented.” She added, “It is important to understand that security is a process and will never be completely resolved.”

Utility companies fight off thousands of cyberattackers per month

The DOE may be over the power grid, but you pay a utility company for your electricity every month. Forbes reported that there are “about 5,800 major power plants and 450,000 high-voltage transmission lines in the United States. Because the system is now connected to the outside world through the Internet, it has been become subject to evermore attacks. Roughly 85% of that infrastructure is owned by private entities, which maintain that they have an inherent interest in protecting their assets from outside hazards.”

Those companies are also being hammered by cyberattackers. As an example, Forbes said, “Xcel Energy is successfully fending off thousands of would-be attackers a month. A lot of other power companies are doing the same.” Utility companies protect grid operations with “everything from frequent password changes to periodic patches to firewalls and upgrades. But it’s a never-ending battle. Setting priorities by identifying high-value assets and then restricting access is a good start, all while ensuring employees are well-trained and well-vetted.”

Live off the grid

If you are one of those people who like to be prepared for any potential emergency – like the grid going down, you could always live off the grid in an egg-shaped Ecocapsule.

Ecocapsule Nice Architects

Slovakian group Nice Architects designed the 14.5-foot portable pod to generate its own clean energy from the sun and wind; 600-watt solar cells cover the roof, it has a retractable 750-watt wind turbine and it even collects rainwater. Popular Science added that the pod’s central computer can be controlled via a mobile device; if there is a shortage of wind or sun, the pod’s brain might suggest adjusting the temperature. If a sustainable tiny house appeals to you, Ecocapsules will be available in 2016 so you can live off the grid.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.