March 29, 2018
By Gino Harel and Catherine Varge of Survey
In December 2015, some 225,000 households were deprived of electricity in Ukraine. A year later, it was the turn of a part of the capital, Kiev, to be plunged into darkness. These two failures are far from trivial: they were caused by acts of hacking.
"In Ukraine, I think it was a clear signal in the industry," says Johanne Duhaime, Vice President of Information Technologies and Communications at Hydro-Québec.
For several years now, Hydro-Québec has been relying on a team to provide a cybersecurity watch. Events in Ukraine prompted the company to raise its defense measures.
"We have started to put plans in place to increase our monitoring center, to 24/7 [...] accelerate the modernization of our infrastructure to protect us more," said Ms. Duhaime.
Behind the 2015 operation in Ukraine, cybersecurity experts have identified a family of malware called BlackEnergy, unable to trace the perpetrators. The 2016 attack was also researched by computer security experts. ESET has determined that this attack was carried out using a new software called Industroyer able to remotely control industrial control systems of electrical infrastructure.
Hydro-Québec's experts have to deal with hundreds of incidents related to computer security every year. Attempts to intrude by sending malicious emails, for example, occur regularly
Hydro-Québec also conducts tests with its employees, using trapped messages. People are caught, admits Johanne Duhaime, but their number is decreasing.
"We do a lot of work on human behavior and education [...] People tend to call and say," I got an email, he's suspicious, is that okay? " ", she says.
It could also happen that an employee inserts a personal USB key into a company computer, which can also pose a risk.
Hydro-Québec assures that it has not experienced cyberintrusion in its systems.
Johanne Duhaime said that her team pays particular attention to Internet traffic from certain countries, such as Ukraine, Russia or Korea. "When there are elements where we see that there are IP addresses that come from these countries, we tend to be more vigilant [...] We will rather be more proactive and perhaps block the source of these requests at source, "she says.
It happens less than 10 times a year, she says.
One billion threats
During a testimony before the Standing Committee on Public Safety and National Security, on March 22, in Ottawa, the head of the Communications Security Establishment Canada (CSE) revealed the extent of cybersecurity challenges that her agency faces.
"We are now blocking more than a billion malicious attacks aimed at compromising government systems, on average every day," said Greta Bossenmaier, head of the CST.
These numerous incidents target Government of Canada networks and range from a simple reconnaissance exercise to check for vulnerabilities in systems to actual attempts to exploit vulnerabilities, or to install malware.
The last federal budget provides $ 507 million for dedicated measures over the next five years, including the creation of a Canadian Cyber Security Center. Ottawa is also scheduled to announce its new national cyber security strategy in the near future.
Last fall, the cybersecurity company Symantec revealed the presence of other malicious software in computers of power companies in the United States. The group identified behind these intrusions is called Dragonfly.
The FBI and the US Department of Homeland Security confirm they have identified victims of cyberintrusions in the energy field, including the nuclear sector. Hackers have also been able to penetrate aviation, water and other manufacturing networks.
According to Symantec, Dragonfly's phishing emails were also spotted at three organizations in Canada, but it was not possible to confirm any intrusions.
In the United States, the operation would have allowed the attackers to break through networks of small commercial facilities, including targeted infected emails. Their long-term goal would be to use these smaller networks to reach larger targets. They have already managed to position themselves to carry out sabotage activities, believe the experts.
"For the past two years, we have seen our opponents become more interested in the ways of harming [our] systems. Their techniques have developed, "says the head of cybersecurity at the Department of Homeland Security, Jeanette Manfra.
Ms. Manfra manages a team located in an office building in downtown Arlington, Virginia. It has an operational center at the heart of computer security throughout the United States: the National Center for Cyber Security and Communications Integration.
"The operations center is analyzing cyber incidents that are reported daily by various government agencies and private sector companies in the United States," she says.
Ms. Manfra estimates that the number of incidents reported to her center is 10,000 in the last three months alone.
There is an exponential growth in the number of devices and organizations whose networks are connected to the Internet. It creates a lot of vulnerability that criminals seek to exploit.
On March 15, the United States announced a new series of sanctions against Russia, accusing the country of having taken two forms of cyber-interference in the United States. Attempts to destabilize the electoral process in 2016 ... and computer attacks on critical infrastructures. According to Russian news agencies, Moscow considers these accusations unfounded and is now preparing its own retaliatory measures in response to the sanctions.
Hydro-Québec is reassuring
Even though Internet-connected devices are constantly growing in number, Hydro-Québec recalls that it has a peculiarity that other electric companies do not have to prevent hacker attacks on these systems: it has its own own telecommunications network to support its electrical mission.
The risks of intrusion are lower, are almost zero, because it's just us who are on the network [...] We control our entire environment.
Johanne Duhaime, Vice President of Information Technologies and Communications, Hydro-Québec
"We are in a good position," adds Ms. Duhaime. That does not mean that we are safe and that there is zero risk [...] In cybersecurity, we must never say that we are at zero risk. "
While the energy sector in the United States is clearly in the spotlight of hackers, industry representatives point out that power grid operators have standards to meet, even in terms of cybersecurity. They are established by the North American Electric Reliability Corporation (NERC). Hydro-Québec is subject to it.
The US electricity sector is made up of a multitude of private companies, but also more than 2000 utilities that produce or distribute electricity in markets of small or large size.
John Di Stasio is the president of an organization that brings together the 26 largest public utilities in the United States. According to him, the standards in place would probably have prevented the kind of breakdowns that occurred following the cyberattacks in Ukraine in 2015 and 2016.
"Our standards require us to provide multiple layers of protection that did not exist in Ukraine," he says.
In this game of cat and mouse between cyberassailers and cyberdefenders of power grids, Mr. Di Stasio believes that the industry has made some progress.
I think we have gained ground. However, we can not predict what lies ahead or what the nature of the threats will be or what they will target.
"These threats are evolving and all we can do is remain vigilant and continue to do the things that work to defend us from known threats," concludes Di Stasio.