DES MOINES, Iowa - In February, as Russian troops massed on Ukraine’s border, executives with a major energy firm here worked with U.S. energy and homeland security officials to draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia.
Berkshire Hathaway Energy officers were among the small group that wrote the guidelines, which stressed the importance of quickly sharing cyberattack information between industry and government.
With President Joe Biden warning last month of evolving intelligence that Russia is exploring possible cyberattacks against American critical industries, companies such as Berkshire Hathaway Energy and the U.S. government are on high alert. After years of what critics saw as lip service, cybersecurity collaboration between the federal government and some critical industries has taken root, officials and industry leaders say, and it could be put to the test as Russian government hackers probe the defenses of American power plants, banks and telecom networks.
“The collaboration between government and the private sector has seen exponential improvement over the last couple of years,” said Bill Fehrman, president and CEO of Berkshire Hathaway Energy (BHE), which provides electricity generated by wind, solar, natural gas and coal to 12 million customers in the United States, Canada and Britain. “The main benefit,” he said, “is the more efficient transfer of information from the front line - the companies - to the government, and getting usable information back from the government in a timely manner.”
In particular, he said, the declassification of information from the government “has gone from months to in some cases hours.”
Berkshire Hathaway Energy is so large - one of the biggest electricity firms in North America by numbers of customers - that if its systems were disrupted by a Russian cyberattack, officials say, the impact on Americans’ lives would be substantial. At the same time, they say, practices like those adopted by BHE, whose CEO chairs the electricity sector group that coordinates with the federal government, can serve as a model for the industry.
As a chill wind whipped off the farm fields an hour northwest of Des Moines, the warmth from a 10,000-horsepower engine and the smell of oil filled a compressor room. The engine, chugging so loudly that workers wear earplugs, powers pistons that compress natural gas. The compressor station in Ogden is one stop along the 13,000-mile-long Northern Natural Gas pipeline, which is part of BHE and studded with similar stations every 60 miles or so. The compressed gas is fed from one station to another in relay fashion, serving homes, hospitals and power plants from Bakersfield, Texas, to Michigan’s Upper Peninsula.
There has never been a cyberattack on any industrial control system within BHE and its 11 subsidiaries. That is because of strict security measures imposed over the past eight years, said Chief Security Officer Michael Ball. No operational network is connected to the Internet, and third party vendors coming in to do maintenance follow stringent rules, including a ban on plugging any outside hardware into the system.
But although its industrial control or operational technology (OT) systems are not connected to the Internet, the company still has to ensure that traffic flowing within its systems is not contaminated by malware.
In a campaign launched by the White House a year ago to boost the cyber defenses of critical sectors, Berkshire Hathaway Energy deployed sensor software in its OT networks to look for malicious activity and vulnerabilities. The software the firm chose, developed by a company called Dragos, detects suspicious traffic from nation-state actors. It also anonymizes the data and makes it available to analysts at the National Security Agency, the Energy Department and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency [CISA].
“We have confirmed foreign states are active in their targeting of U.S. energy industrial control systems,” said Robert M. Lee, chief executive of Dragos, whose software allows the government to send queries to the companies to see if they have detected the presence of certain adversaries.
By the end of the first 100-day campaign, which focused on electricity firms, almost 60% of electricity customers in America were covered by companies that had or pledged to have commercial cyberthreat sensors on their OT networks, said Fehrman, who coordinated the effort across the sector.
Work with the natural gas sector followed, and in January a water sector effort began.
“If power is disrupted, or if oil and gas is disrupted, or if clean water is disrupted, that really affects Americans’ lives,” said Anne Neuberger, Deputy National Security adviser for Cyber and Emerging Technology. “The collaboration between companies and with the government, the deployment of commercial sensors, the deepened information-sharing has been an important contribution to the sectors’ resilience,” she said.
Though Biden’s warning last month was based on intelligence gathered by the U.S. government, the sensors were helpful for additional insight, U.S. officials said.
Five years ago, Russian government hackers penetrated the OT systems of some American electricity companies, but the intrusions were not detected immediately. It took some companies months to realize they had been infiltrated. The sensors should cut that time drastically, U.S. and company officials said.
Last year, Russian criminals carried off a ransomware attack on Colonial Pipeline, snarling up the company’s administrative computer network. Out of fear that the malware might spread to the OT system, the company shut down its fuel pipeline for five days, prompting mass panic at gas stations on the East Coast and raising concerns that Russia might target other critical companies.
The abundance of targets in American industry prompted CISA to issue a call in February to companies to harden their cyber defenses in a campaign the agency dubbed “Shields Up.”
On a recent day, a senior threat intelligence analyst at BHE’s global security operations center pulled up a dashboard on a large screen on a wall, displaying some 3,000 Russian “indicators of compromise” or IP addresses and other digital clues that had been tied to cyberattacks on Ukraine government systems since January. The IOCs, as they are called, came from DHS, the Canadian Center for Cybersecurity, a government agency, and the Energy Department, as well as an industry information-sharing collective and private threat intelligence companies.
In years past companies might get this sort of data, but by the time it got to them, “chances are really good I already knew about it,” Ball said. “Now it’s flipped, and we’re seeing stuff faster, more of the stuff we haven’t already heard about.”
And, more importantly, company executives say, the quality of some of that information has improved.
“We have been getting ‘actionable intelligence’ - extremely helpful feedback that we can implement,” said Fehrman. That’s intelligence obtained through U.S. government penetration of adversaries’ systems overseas, and enhanced with more information that, for instance, tells companies what threat is really significant, what techniques the hackers are using, what machines they’re targeting - sometimes down to make and model - and what defensive actions should be taken as a result.
A major milestone in facilitating some of the cooperation driven by the Ukraine crisis was a congressional mandate that CISA set up a 24/7 center for the real-time sharing of threat information that includes personnel from key industrial sectors as well as from the FBI, DHS, the NSA, Energy and Treasury departments, among others. The result was the launch last summer of what CISA Director Jen Easterly named the Joint Cyber Defense Collaborative.
JCDC has “created a beachhead,” said Tom Fanning, CEO of the energy giant Southern Company, and a member of the Solarium Commission, which recommended the formation of the Collaborative. “As we mature the process, it will get better and better and better.”
A major spoke off the JCDC information-sharing hub is the Energy Department’s Energy Threat Analysis Center, which was created in January to enable companies and the government to jointly analyze threats and develop measures to deal with them.
It will also feed that information back to the JCDC. “If we’re seeing a threat to an energy industrial control system, we certainly want to make sure that information gets out to other sectors like water and chemical, [which] have similar systems,” said Puesh Kumar, director of the department’s Office of Cybersecurity, Energy Security and Emergency Response.
In February, the White House put CISA Executive Director Brandon Wales in charge of an effort to ensure the government can handle a cyberattack from the Russians, including any resulting physical consequences in the public or private sectors.
“On the whole we are more prepared now than ever before,” Wales said.
“Russian malicious cyber actors have posed a high threat to the U.S. government and the critical infrastructure since before the invasion of Ukraine,” he said, “And they will present a threat after this current crisis is resolved.”