Russian cyberattack on US power grid meant to be show of power, researchers working to thwart the next one

Photo by Adam Glanzman/Northeastern University

When the Russians hacked into the U.S. power grid last week, demonstrating their ability to shut down the system, Americans learned just how vulnerable we are to enemy cyberattack.

According to a report released by the Department of Homeland Security March 15, Russian operatives gained access to American electric, nuclear, water, aviation, and critical manufacturing sectors.

Their goal was to show they’re capable of taking down our power grid.

Robert Knake, Senior research scientist cybersecurity and resilience

“The intent of the attack is clear,” said Robert Knake, a senior research scientist with Northeastern’s Global Resilience Institute. “This was not economic espionage, nor were they trying to understand how our power grid works so they can replicate it. Their goal was to show they’re capable of taking down our power grid.”

Knake served for four years as director of cybersecurity policy at the National Security Council before coming to Northeastern.

“An attack like this has long been expected,” he said. “My view is that nobody should be surprised.”

The buildup

Knake said there has been a steady escalation of cyber attacks over the past year including the December 2016 Russian cyberattack that shut down a fifth of all power generated in the Ukraine.

“One of our biggest mistakes was not to immediately realize this would be their playbook for overseas,” he said. “We knew they were trying to interfere in our election, but we assumed that attacking our power grid was a line they wouldn’t want to cross.

We assumed that attacking our power grid was a line they wouldn’t want to cross.

Robert Knake, Senior research scientist

“Clearly they don’t fear engaging in this kind of hostile action and are, indeed, preparing for it,” he added.

The international aggression escalated last summer when hackers gained control of a Saudi chemical plant with plans to cause an explosion that would have released a cloud of deadly chemicals. The New York Times reported that the plan failed only because of a minor error in the attacker’s computer code. It was particularly concerning, the Times noted, because the plant relied on American-engineered computer systems that are used all over the world—so the attack could be replicated in other countries.

What we’re doing about it

Two of Northeastern’s leading research institutes—Cybersecurity and Global Resilience—are hard at work on the issue.

At the Global Resilience Institute, Knake is working to develop a Critical Infrastructure Network (CInet), designed to move our critical systems off the public internet. CInet would be a separate internet for key infrastructures—electricity, water, transportation—that would operate similar to the specialized internet used for national security communication.

“We need to make it harder to mount this kind of attack,” Knake said. “With a specialized network, a successful hack would require an insider, which is harder to carry out and easier to detect.”

We need to automate detection because the number of cyberattacks is rising.

Engin Kirda, Professor of computer science and engineering

At the Cybersecurity and Privacy Institute, professor Engin Kirda is developing artificial intelligence systems that will speed the detection of hacking attempts.

“We need to automate detection because the number of cyberattacks is rising,” he said. “Right now it takes up to six months to detect a complicated hack manually. We’re developing ways to use machine learning to automatically detect anolomous patterns.”

In addition to using AI to alert security personnel that an attack may be in progress, he is also developing technology to detect malware in malicious emails.

But Kirda, who has a joint appointment to the Colleges of Engineering and the College of Computer and Information Science, cautioned that cybersecurity is more than a tech problem.

“It’s also a social, educational, and management problem,” he said. “Awareness is extremely important.”

For example, the Russian attack on the U.S. power grid was conducted in two stages, according to the Homeland Security report. First, they went after “staging targets”—smaller companies that do frequent business with the primary targets as trusted third-party suppliers. Because security training is not strong at these peripheral companies, it was relatively easy for the Russians to insert malware into their systems via traditional hacking methods.

“Many of these cyber attacks are quite simple in nature,” Kirda said. “The initial infection often doesn’t involve rocket science.”

Once the Russians planted the malware in the staging targets, these peripheral companies unwittingly transmitted the viruses to the target organizations through their normal business communications.

Kirda said management often contributes to security holes because they fail consider the security implications when choosing technology. As a result, there’s little incentive for tech manufactures to invest money on product security, which would drive up prices.

Another key weakness, according to Knake, is the fully integrated design of our infrastructure grids. He strongly recommends the creation of overlapping micro-grids that can operate independently during a crisis and cut themselves off from the central grid in the event of an attack or power outage.

But the creation of overlapping micro-grids, coupled with localized renewable energy to make them more self-sufficient, would cost money—lots of it.

Though the costs may be high, they’re not nearly as high as the price of inaction, he said.

“When the geopolitical concerns reach a level when Russia decides that it’s in their interest to take destabilizing action on our power grid, they will,” Knake said. “Cybersecurity is like an oak tree. When is the best time to plant an oak tree? Thirty years ago. When’s the second best time? Right now.”