Cyber "Attack" Aimed at Pipeline Companies Was Handled Washington-Style

The incident marks a new, heightened level of influence by Washington over security in the energy sector.

Here’s the first thing you need to know about a reported
“cyber attack” against natural gas pipeline operators that was revealed
last week
:
It wasn’t
actually an attack–not on the pipelines anyway, which is how it
has been portrayed in some
news

accounts.
So far, there’s no evidence that electronic
intruders gained access to the systems that control gas
pipelines, or that any of these lines were damaged. Rather, an
as-yet-unidentified
hacker or group of hackers was trying to get inside the
corporate networks of the pipeline operators themselves. That’s a
serious breach, but it’s not as serious as taking over a
pipeline.

Here’s the second thing you need to know: This
incident marks a new, heightened level of influence by Washington over
security
in the energy sector–and that influence will only get stronger
as more incidents like this occur. Right now, Congress is debating
cyber security legislation that would get the government more
involved in managing corporate security breaches.

In this latest case, federal security and law enforcement
agencies were involved early on as pipeline operators discovered
they might be the target of an espionage campaign. For much of
the time, they successfully enforced a media and public information
blackout of the events. While several companies were
discovering they were targets, federal authorities investigated and
watched
the intruders, but they didn’t immediately issue a broad alert
warning all pipeline operators that they might be at risk.
Authorities held classified briefings with affected companies
across the country. The intrusion campaign is ongoing, and it’s
not yet clear how many companies may be involved.

Here’s how events unfolded, based on government
accounts and interviews with people who are privy to details of the
investigation.

Sometime in March, a number of natural gas pipeline
operators alerted the Homeland Security Department that their employees
had received suspicious e-mails. They appeared to be from
someone the employees knew or were likely to know, but they were
really sent by the would-be intruders. They were so-called
“spear-phishing” messages, meant to trick the recipient into opening
an attached file or clicking on embedded link, which releases a
program that sets up a clandestine entry point into the recipient’s
network.

Once inside, an intruder might be able to read a
company’s e-mails, learn where it was planning to build a new pipeline,
and
gather other proprietary insights. Security experts debate
whether an intruder could have jumped from the corporate network
on to the networks that actually control the pipelines. One
former government official said that it if a company had taken
steps to segregate those networks–which, he added, they
should–then it would be very difficult to move from one to another.
That indicates the intrusion was meant to steal information
from the employees, the former official said. In that case, possible
culprits could be competing gas companies, or a foreign
intelligence agency looking for inside information about US energy
trends.

Once the companies alerted the government that they
were being probed, federal officials took charge of the situation.
Homeland
Security and the FBI investigated, gathering information from
computer hard drives and network logs. The source of the e-mails
was “positively identified . . . as related to a single
campaign,” the government now
says
.

As many as 20 companies reported seeing the attempts to gain
access to their networks, according to a report in the
Christian Science Monitor, which first reported
on the intrusions
. Some of the attempted intrusions began as early as December 2011.

Here’s where things get unusual, and a little
nerve-wracking: Rather than warn the entire gas pipeline industry that
it was
at risk, federal authorities held off and conducted a kind of
digital stakeout. It’s still not clear what the government hoped
to gain by watching the intruders. Security experts said the
government may have wanted to determine whether the campaign
was launched by a criminal organization or a state
actor–namely, a foreign intelligence agency. Investigators also may have
wanted to quietly alert companies how to mitigate any damage
without tipping off the intruders that they were being watched.
(A spokesman for the Homeland Security Department says
officials shared “mitigation activities” with the affected companies.)

Whatever the case, it’s rare that the government would
hold off on issuing warnings to all companies that might be affected
by a hacker campaign. After the September 11 attacks, new
procedures were put in place that emphasized speed and breadth in
sharing threat information within certain economic sectors. In
this case, though, the emphasis was placed on surveillance
of the intruder.

In Washington, the trade associations representing gas
companies and pipeline operators were also alerted. All public comments
about the incidents are now coming from the trade groups. Calls
to pipeline operators and natural gas companies were either
not returned or referred to their DC representatives. Those
groups have been directly involved in the ongoing negotiations
over the cyber security bill.

Authorities met with individual companies at their
facilities and held classified briefings. But still, the Homeland
Security
Department did not alert the entire gas pipeline industry to
the threat until March 29, when a team that monitors the energy
sector sent out an “alert” to all companies through a secure
website. Those alerts “are intended to provide early warning
indicators of threats and vulnerabilities for the community
[pipeline operators] to act upon quickly,” according to the team.
But according to the
Monitor, this alert also instructed the companies “not to take action to remove the cyber spies if discovered on their networks,
but to instead allow them to persist as long as company operations did not appear to be endangered.”

If any pipeline operators had yet to be contacted
about the threat, this alert was the first they’d heard of it. But the
Homeland
Security Department wasn’t exactly making the threat public.
The alerts are considered “sensitive” and cannot be distributed
through “unsecured channels.”

In the end, there was no damage to the hundreds of
thousands of miles of natural gas pipelines crisscrossing the United
States.
“To our knowledge, the ‘cyber intrusions’ reported to DHS have
had no impact on deliveries or the safety of the pipeline system,”

Don Santa, the president and chief executive officers of the gas pipeline trade association, said in a statement.

But it was a tense few weeks, shrouded in secrecy, and a harbinger of how cyber security breaches will be handled–Washington
style.

More from News