Cyber “Attack” Aimed at Pipeline Companies Was Handled Washington-Style
The incident marks a new, heightened level of influence by Washington over security in the energy sector.
Here’s the first thing you need to know about a reported “cyber attack” against natural gas pipeline operators that was revealed last week: It wasn’t actually an attack—not on the pipelines anyway, which is how it has been portrayed in some news accounts. So far, there’s no evidence that electronic intruders gained access to the systems that control gas pipelines, or that any of these lines were damaged. Rather, an as-yet-unidentified hacker or group of hackers was trying to get inside the corporate networks of the pipeline operators themselves. That’s a serious breach, but it’s not as serious as taking over a pipeline.
Here’s the second thing you need to know: This incident marks a new, heightened level of influence by Washington over security in the energy sector—and that influence will only get stronger as more incidents like this occur. Right now, Congress is debating cyber security legislation that would get the government more involved in managing corporate security breaches.
In this latest case, federal security and law enforcement agencies were involved early on as pipeline operators discovered they might be the target of an espionage campaign. For much of the time, they successfully enforced a media and public information blackout of the events. While several companies were discovering they were targets, federal authorities investigated and watched the intruders, but they didn’t immediately issue a broad alert warning all pipeline operators that they might be at risk. Authorities held classified briefings with affected companies across the country. The intrusion campaign is ongoing, and it’s not yet clear how many companies may be involved.
Here’s how events unfolded, based on government accounts and interviews with people who are privy to details of the investigation.
Sometime in March, a number of natural gas pipeline operators alerted the Homeland Security Department that their employees had received suspicious e-mails. They appeared to be from someone the employees knew or were likely to know, but they were really sent by the would-be intruders. They were so-called “spear-phishing” messages, meant to trick the recipient into opening an attached file or clicking on embedded link, which releases a program that sets up a clandestine entry point into the recipient’s network.
Once inside, an intruder might be able to read a company’s e-mails, learn where it was planning to build a new pipeline, and gather other proprietary insights. Security experts debate whether an intruder could have jumped from the corporate network on to the networks that actually control the pipelines. One former government official said that it if a company had taken steps to segregate those networks—which, he added, they should—then it would be very difficult to move from one to another. That indicates the intrusion was meant to steal information from the employees, the former official said. In that case, possible culprits could be competing gas companies, or a foreign intelligence agency looking for inside information about US energy trends.
Once the companies alerted the government that they were being probed, federal officials took charge of the situation. Homeland Security and the FBI investigated, gathering information from computer hard drives and network logs. The source of the e-mails was “positively identified … as related to a single campaign,” the government now says. As many as 20 companies reported seeing the attempts to gain access to their networks, according to a report in the Christian Science Monitor, which first reported on the intrusions. Some of the attempted intrusions began as early as December 2011.
Here’s where things get unusual, and a little nerve-wracking: Rather than warn the entire gas pipeline industry that it was at risk, federal authorities held off and conducted a kind of digital stakeout. It’s still not clear what the government hoped to gain by watching the intruders. Security experts said the government may have wanted to determine whether the campaign was launched by a criminal organization or a state actor—namely, a foreign intelligence agency. Investigators also may have wanted to quietly alert companies how to mitigate any damage without tipping off the intruders that they were being watched. (A spokesman for the Homeland Security Department says officials shared “mitigation activities” with the affected companies.)
Whatever the case, it’s rare that the government would hold off on issuing warnings to all companies that might be affected by a hacker campaign. After the September 11 attacks, new procedures were put in place that emphasized speed and breadth in sharing threat information within certain economic sectors. In this case, though, the emphasis was placed on surveillance of the intruder.
In Washington, the trade associations representing gas companies and pipeline operators were also alerted. All public comments about the incidents are now coming from the trade groups. Calls to pipeline operators and natural gas companies were either not returned or referred to their DC representatives. Those groups have been directly involved in the ongoing negotiations over the cyber security bill.
Authorities met with individual companies at their facilities and held classified briefings. But still, the Homeland Security Department did not alert the entire gas pipeline industry to the threat until March 29, when a team that monitors the energy sector sent out an “alert” to all companies through a secure website. Those alerts “are intended to provide early warning indicators of threats and vulnerabilities for the community [pipeline operators] to act upon quickly,” according to the team. But according to the Monitor, this alert also instructed the companies “not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.”
If any pipeline operators had yet to be contacted about the threat, this alert was the first they’d heard of it. But the Homeland Security Department wasn’t exactly making the threat public. The alerts are considered “sensitive” and cannot be distributed through “unsecured channels.”
In the end, there was no damage to the hundreds of thousands of miles of natural gas pipelines crisscrossing the United States. “To our knowledge, the ‘cyber intrusions’ reported to DHS have had no impact on deliveries or the safety of the pipeline system,” Don Santa, the president and chief executive officers of the gas pipeline trade association, said in a statement.
But it was a tense few weeks, shrouded in secrecy, and a harbinger of how cyber security breaches will be handled—Washington style.