Energy companies are bracing for potential cyberattacks in the wake of a U.S. airstrike late Thursday that killed a top Iranian general.
Hours after the attack at Baghdad International Airport, the U.S. Department of Homeland Security's top cybersecurity official on Friday reissued a summer bulletin from the agency warning of increased cyberattacks by the Iranian government and its allies.
Given recent developments, re-upping our statement from the summer.— Chris Krebs (@CISAKrebs) January 3, 2020
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
"CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies," Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency at the DHS, said in a statement accompanying the July alert.
"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," it continued. "These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network."
Independent cybersecurity experts, speaking with Cheddar, said that so-called ransomware – where hackers lock and threaten to delete crucial files unless the victims cough-up payment – are a "high likelihood" event.
"It's cheap, it's easy, it's proven reliable. And in the States, there are any number of entities at any level – state, local, industry, national conglomerate level – there's just a ton of targets, and you only need to get a couple to demonstrate that you've done something," said Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, a think tank in Washington, DC.
The drone strike that killed Maj. Gen. Qassem Soleimani, an apparent targeted assassination ordered by President Trump, sharply escalated simmering tensions between the Iranian and U.S. governments. The countries' leaders have clashed over Iranian influence, military activity, and covert action in Iraq that has killed American and allied troops; Trump's move to withdraw the U.S. from the 2015 nuclear deal between the two nations; and the Trump administration's decision to reinstate harsh economic sanctions on the Islamic Republic that had been lifted as part of the nuclear accord.
Iran last summer shot down a U.S. surveillance drone flying near the Strait of Hormuz and seized oil tankers in an apparent bid to disrupt international oil markets. American and Saudi officials also blamed Iran for drone attacks on Saudi oil infrastructure and attacks that crippled oil tankers.
Iran, though, has also regularly deployed cyberweapons as part of its arsenal. Between 2011 and 2013, hackers launched attacks on dozens of U.S. financial institutions and, overseas, managed to wipe data from some 30,000 computers used by the state-owned oil and gas conglomerate, Saudi Aramco.
"Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies," Robert Lee, founder and CEO of the cybersecurity firm Dragos, said in an email. "While it is important to think where strategic targets would be for them it's just as relevant that they might search for those who are more insecure to be able to have an effect instead of a better effect on a harder target."
Other attacks in just the past year have exposed vulnerabilities in U.S. gas pipeline networks, and even the country's electric grids: The North American Electric Reliability Corporation, a federal regulator, confirmed in October that a remote hacker had disabled systems that had allowed an unnamed utility to communicate with and monitor crucial power sites in Utah, Wyoming, and California.
An industry survey published last fall by Siemens found that more than half the country's power providers say that they're unprepared for a cyberattack.
"There's been ongoing activity in the past couple years from the Iranians – and the Russians – to gain access to these networks," Herr said. "Now, in a period of peak escalation like this, where the Iranians are certainly hopping mad, will they use this access to deploy a capability that will create harm? There is some concern about that, which is why DHS issued that warning, which was unusual in its specificity."
The U.S. and its chief ally in the region, Israel, have deployed cyberattacks against Iran: The Stuxnet virus in 2010, for example, derailed Iranian uranium enrichment, although neither the U.S. nor Israel has confirmed that it was responsible for building and deploying the cyber weapon. More recently, an apparent U.S. cyberattack last June reportedly crippled Iran's ability to target oil tankers in the Strait of Hormuz. Such attacks may have effectively cleared the way for similar responses from Iran.
"There's a monkey-see-monkey-do effect: The Iranians are incredibly fast learners, and they tend to reciprocate to others what is done to them," Herr said.
Industry organizations such as the Edison Electric Institute, which represents investor-owned electric utilities, and the American Petroleum Institute, the main trade group for the oil and gas sector, said that they’re monitoring for potential breaches.
“While there is no specific threat to electricity infrastructure at this time, given Iranian capabilities and the potential for retaliation, the electric power industry is closely coordinating across the industry and with our government partners through the Electricity Subsector Coordinating Council… to ensure vigilance and the ability to respond quickly should the situation evolve,” Scott Aaronson, EEI’s vice president for security and preparedness, said in a statement.
Emily Smith, a spokeswoman for the the American Petroleum Institute, said that the oil and gas industry “continues to work collaboratively with government agencies to mitigate and investigate industrial control system (ICS) threats – especially through the oil and natural gas information sharing and analysis center.”
A retaliatory cyberattack, however, is far from certain, Herr and other experts said. Iran has a range of responses at its disposal, from deploying fast boats in the Strait of Hormuz, to sowing violence to disrupt American influence and operations in Iraq and Syria, to targeting allies such as Saudi Arabia or Israel.
"You should really be thinking about proportionality," said Oren Falkowitz, CEO of Area 1 Security, a cybersecurity firm. "Cyber is a great option prior to prevent wars and to do things asymmetrically. In and of itself, I don't think it's a reasonable response, and I think it would be seen as pretty weak."
Effective cyberattacks also demand years of planning – causing damage is the last step in the process, not the first. And if seeking to, say, disrupt infrastructure like pipelines or a power plant, that requires access to complex software, high levels of investment, and sophistication.
"There are real threats in cyberspace, and countries like Iran and China and Russia, as well as criminal groups, are causing epic amounts of damages. But the challenge is that when something happens in the real world, it's not like cyberattacks can just be formulated out of thin air to respond overnight. Launching a cyberattack is a painstaking, monthslong, if not yearslong, process," said Falkowitz, who previously held senior positions at the National Security Agency and U.S. Cyber Command.
The heightened concern about a potential cyberattack, though, may itself be a wakeup call: "If I'm an executive and I've been spending millions of dollars, and I wake up and I'm really worried, I don't know what I've been spending my money on," Falkowitz said. "For the professionals and businesses worried about protecting their intellectual property and customers' sensitive information and financials, this is something that they deal with every single day – the fact that there's a geopolitical hotspot shouldn't really change anything for them."