notebook
Holding Electricity for Ransom The electric grid is a prime target for hackers, but the private companies that dominate the sector often put dollar signs before cyber sense. BY G A BR I E L L E G U R L E Y A CYBER ATTACK on the electric grid is the one worst-case scenario that cybersecurity and emergency management professionals fear is imminent. They know that no one, from the utility company executives to the consumers who expect lights on, phones charged, and air-conditioners going full blast, are prepared for a prolonged and catastrophic electric outage. The winter weather-related Texas grid failure previewed what can happen when the electricity stops flowing. The problem is, in cyberspace, there are no impenetrable systems. Anything designed by humans in the 21st century can be hacked. Most alarming is how private-sector companies fail to pay attention to even the most basic cyber hygiene measures, like backing up computer systems, using multifactor authentication (which requires users to provide two or more types of data to gain access to a network), and devising detailed plans to deal with security breaches. One reason why: money. Many of the firms contracted to protect computer systems throughout the world have been bought up by private equity, which then cuts costs on R&D, offshores labor, and neglects maintenance in order to extract money for the fund managers, leaving businesses—and potentially critical infrastructure sectors like energy— vulnerable to ransomware attacks. For example, the Kaseya ransomware attack hit about 1,500 companies just before the Fourth of July weekend and demanded ransoms ranging from $50,000 to $5 million. REvil, the Russia-affiliated collective behind the attacks, offered up a decryption key to unlock all the affected systems across the globe for a cool $70 million in Bitcoin. Managed by Insight Partners, a private
10 PROSPECT.ORG JUL /AUG 2021
equity firm, Kaseya provides IT service management software to large and small companies alike. While not a ransomware attack, the 2020 SolarWinds hackers breached and exfiltrated data from key federal agencies like the Pentagon by inserting malware into the company’s network monitoring software, which was distributed to users through software updates. SolarWinds is also a private equity–owned firm. Forbes reported that Colonial Pipeline, another ransomware victim, has links to private equity dealmakers, including the venerable PE firm KKR and a pension fund in Canada. Colonial Pipeline, which moves gasoline, diesel, and jet fuels from the Gulf Coast production hubs to the Eastern Seaboard, failed to use multifactor authentication. The DarkSide group hackers attacked the company’s business systems (and apologized for doing that), and apparently did not go after the operational networks that control the flow of fuels. Company officials decided to pay a $5 million ransom and shut down those systems as a precaution. (The new FBI Ransomware and Digital Extortion Task Force ferreted out $2.3 million of the ransom from a DarkSide Bitcoin wallet.) But hackers don’t even have to shut down operations to create havoc. Panicked drivers drained gas stations in the South dry, even in areas of Florida that do not rely on the pipeline for fuel. AS THESE examples indicate, too much of the security burden has been placed on companies that are relentlessly focused on their profit motives, not national security. For too many companies, cybersecurity is still perceived as nice to have, but not an essential cost of doing business. Stronger oversight of the energy sector is likely in the offing now that
pipelines, a gateway to electricity production, have been exposed as one of the weakest links. Ransomware attacks strike new targets every few seconds, according to the federal Cybersecurity and Infrastructure Security Agency (CISA). Attacks can be fended off, or at least minimized, with the proper precautions—if companies take them. Most security failures are policy failures, not technology failures, according to Bruce deGrazia, the head of cybersecurity management and policy at the University of Maryland Global Campus. DeGrazia is a “huge fan” of bringing in penetration testers to test a company’s defenses by hacking into its systems. Network segmentation, or keeping IT networks (that handle business functions, for example) separated from operations technology (which powers or controls energy systems), is another way to minimize the damage an intruder can do. Hackers once focused on attacking individual computers and demanding hundreds of dollars in ransoms. Today, cyber extortion is big business. Criminals go after entire networks, encrypt a company’s data, and demand a ransom before they’ll provide a key to restore control. Often they will “exfiltrate” (copy or transfer) data and follow up with a second demand: Give them more money or they will publish the data. COVID-19 was a boon for hackers, too. People working from home on their own devices made their job that much easier; there were no institutional firewalls to get through and no savvy co-workers to prod lax colleagues into better cyber hygiene. Before the Colonial Pipeline attack, there was little need for geeklevel skills. A motivated individual could order ransomware on the dark web, and, with the right credentials to gain entry, launch an attack against a computer network. (Some groups even offered customer assistance to help out if their malware didn’t work.) Although DarkSide and REvil have been taken offline by forces unknown (President Biden has indicated that the United States planned to act), hackers are likely to find other pathways to accomplish their goals.
