Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid.
These adversaries had access to the networks that operate the industrial equipment used to power our country. That sounds scary. But the belief pushed by governments, Hollywood movie scripts, and media headlines for years—that we are standing on the brink of cyber-induced blackouts and mass chaos—is misinformed. Our adversaries are at the starting point of their journey to cause significant disruption to our power grid, not the finish line.
Cause for concern is, of course, understandable, especially after the recent attacks on Ukraine’s power grid. In December 2015 an adversary group known as Sandworm caused the first known case of power loss due to a cyber attack. The team repeated the attack a year later. In both cases, the attackers showed in-depth knowledge of industrial equipment and operations.
At the same time, the Ukraine example doesn’t perfectly mirror the potential threat in the U.S. First, we don’t know how deep of an understanding the Ukraine attackers had of that power grid and how that activity directly compares to what the Dragonfly group is learning about our grid systems. Second, the six hours of outages caused in Ukraine is not enough to qualify as a full-blown crisis.
Lastly, America’s power grid infrastructure is more complex than Ukraine’s; while what happened in Ukraine absolutely could happen in the U.S., it’d be more difficult. In reality “the grid” is a complex and resilient network of hundreds of companies and public utilities that operate and manage disparate but connected infrastructure, including diversified generation sources, alternate routes, and systems designed to reduce the potential for outages and reduce the impact when they occur. People need to look no further than recent hurricanes like Irma and Harvey to see the resiliency of America’s power systems and the women and men operating them. To put it simply, disrupting a few power sites is easier than people would like to admit, but designing an attack to impact the grid in any considerable way is significantly challenging. Blackouts caused by Dragonfly 2.0 are not realistic.
Of course, this all doesn’t mean we shouldn’t take threats seriously. There’s proof an adversary is on its way to developing an attack, although they have not shown the intent to use it, and this demands our attention. However, any belief that power grids are a fragile system in which gaining access is the hardest step is wrong and highly misleading.
The deeper concern is that a disruption or attack could have serious international consequences, potentially causing armed conflict in an extreme case. Governments are already worried about attacks on electric grids, and in geopolitically tense times, we can’t predict how they’d react to an intrusion. If an attack were to occur with physical infrastructure involved, the accusations could get very serious very quickly.
Understanding the nuance of the threats we face can inspire us to take better precautions—and that is important. But fear will drive the wrong responses. We have to remember that adversaries determined to harm America have just begun their path down a long and challenging road.
Robert M. Lee is the CEO and founder and Sergio Caltagirone is the director of threat intelligence at Dragos. Follow them on Twitter@RobertMLee and @cnoanalysis.