Security firms warn of new cyber threat to electric grid

An electricity station with high-tension electricity power lines is seen in Galapagar, Spain, January 20, 2017.

By Jim Finkle

(Reuters) – Two cyber security companies said they have uncovered a sophisticated piece of malicious software capable of causing power outages by ordering industrial computers to shut down electricity transmission.

Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyber attack that cut power in Ukraine, according to the firms, Slovakian security software maker ESET and U.S. critical-infrastructure security firm Dragos Inc.

The discovery may stoke fears about cyber vulnerabilities in power grids that have intensified in the wake of the December Ukraine attack, and one a year earlier that also cut power in that nation.

Ukraine authorities have previously blamed Russia for the attacks on its grid. Moscow has denied responsibility.

Dragos founder Robert M. Lee said the malware is capable of causing outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid.

The firm has alerted government authorities and power companies about the threat, advising them of steps to defend against the threat, Lee said in an interview.

Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force warfare operations officer.

The sample of Crash Override that was analyzed by Dragos is capable of attacking power operators across Europe, according to Lee.

“With small modifications, it could be leveraged against the United States,” he said.

Reuters reviewed an ESET technical analysis of the malware provided by the security firm, which they planned to release publicly on Monday. An ESET spokeswoman said the firm’s researchers were not available for comment ahead of its release.

ESET said in its report that it believed the malware was “very probably” used in the 2016 attack in Ukraine, noting it has an activation time stamp of Dec. 17, the day of the outage.

Crash Override is the second piece of malware discovered to date that is capable of disrupting industrial processes, according to Lee.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

Malware has been used in other attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations, Lee said.

(Reporting by Jim Finkle in Toronto; Editing by Tom Brown and Richard Pullin)

GE fixing bug in software after warning about power grid hacks

FILE PHOTO: The logo of a General Electric (GE) facility is seen behind tree branches in Medford, Massachusetts, U.S., April 20, 2017. REUTERS/Brian Snyder/File Photo

By Jim Finkle

(Reuters) – General Electric Co <GE.N> said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid.

The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website.

Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.

Three New York University security experts are scheduled to discuss the issue at the Las Vegas Black Hat hacking conference in July. They could not be reached immediately for comment.

GE is not aware of any cases in which hackers exploited the bug to cause power outages, said GE spokeswoman Annette Busateri. The bug only involves older GE protection relays introduced in the 1990s “before current industry expectations for security,” she said.

“We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue,” she said.

GE has issued patches for five of six models affected by the vulnerability and will soon release a patch for the sixth model, Busateri said.

Michael Assante, former chief security officer with the North American Electric Reliability Corp, which regulates the North American grid, said the product was still widely deployed because the industry runs systems for decades before upgrading to new technologies.

“This is certainly a significant issue,” he said.

Hackers caused power to go out in 2015 and 2016 attacks in Ukraine by using other techniques to force breakers to open, Assante said.

(Reporting by Jim Finkle in Toronto; Editing by Chizu Nomiyama and Jeffrey Benkoe)

U.S. weighs dangers, benefits of naming Russia in cyber hack

Hand in front of computer

By Warren Strobel and John Walcott

WASHINGTON (Reuters) – Wary of a global confrontation with Russia, U.S. President Barack Obama must carefully weigh how to respond to what security experts believe was Moscow’s involvement in the hacking of Democratic Party organizations, U.S. officials said.

Publicly blaming Russian President Vladimir Putin’s intelligence services would bring instant pressure on Washington to divulge its evidence, which relies on highly classified sources and methods, U.S. intelligence officials said.

One option for Washington is to retaliate against Russia in cyberspace. But the intelligence officials said they fear a rapid escalation in which, under a worst-case scenario, Moscow’s sophisticated cyber warriors could attack power grids, financial systems and other critical infrastructure.

Washington also has diplomacy to manage with Russia in Secretary of State John Kerry’s long-shot attempt to enlist Moscow’s help in ending the Syrian civil war and sustaining the Iran nuclear deal, as well as Russia-NATO tensions over Ukraine and Eastern Europe to manage.

“Despite how outrageous it is to interfere with a democratic election, the costs of coming out and saying the Russians did it would far outweigh the benefits, if there would be any benefits,” said one intelligence official, speaking on condition of anonymity to discuss a sensitive matter.

Russia has denied responsibility for hacking the emails of the Democratic National Committee. Also attacked were a computer network used by Democratic presidential nominee Hillary Clinton’s campaign and the party’s fundraising committee for House of Representative candidates in the Nov. 8 election.

Other current and former officials are arguing for a firm response, however. They said the hack was the latest in a series of aggressive moves by Putin, including Russia’s annexation of Crimea, military intervention to rescue Syrian President Bashar al-Assad, and funding of right-wing and anti-European Union groups in Europe.

Columbia University cyber security expert Jason Healey said at an annual security forum in Aspen, Colorado, on Saturday that the Russians had been very aggressive in cyberspace too.

“I think the president needs to start looking at brush-back pitches,” Healey said, referring to a baseball thrown near the batter as a warning.

NAME AND SHAME?

Intelligence officials and cyber experts said the intrusions themselves were not that unusual. American spy agencies conduct similar electronic espionage outside U.S. borders.

What made this hack a game-changer, they said, was the public release of the DNC emails, via the pro-transparency group WikiLeaks, in an apparent attempt to affect the election.

Government and party officials said they were unaware of any evidence that WikiLeaks had received the hacked materials directly from Russians or that WikiLeaks’ release of the materials was in any way directed by Russians.

The Justice Department’s National Security Division, which is overseeing the investigation, has publicly charged U.S. adversaries – known as “naming and shaming” – before.

The U.S. government blamed North Korea for a damaging attack on Sony Pictures, and in 2014 indicted five members of the Chinese military for computer hacking and economic espionage.

Among adversary nations with significant cyber capabilities, a list that also includes Iran, the Russian government is the only one the Justice Department has not yet charged.

Obama’s homeland security and counter-terrorism advisor Lisa Monaco said the government has developed “best practices” to investigate cyber attacks and decide when to make the results public.

Monaco, also speaking at the Aspen forum, said that in the Sony case, FBI investigators had high confidence North Korea was responsible. The attack was deemed destructive, as well as coercive, because it was retaliation for a movie parodying North Korean leader Kim Jong Un.

“Those two things, along with our confidence in the attribution and the ability to talk about it in a way that would not disclose sources and methods and hinder our ability to make such attribution in the future all combined to say, ‘We’re going to call this out’,” she said.

Elissa Slotkin, an acting assistant secretary of defense, said that for the next decade, the U.S. government faced a fundamental question in dealing with Russia: “How do you get the balance right?”

“Are we being too charitable and giving them too many opportunities to come back to the table, or are we providing such a high level of deterrence that we’re potentially provoking them?” Slotkin asked.

(Additional reporting by Mark Hosenball, Jonathan Landay and Arshad Mohammed; editing by Grant McCool)

U.S. to sanction cyber attackers, cites Russia, China

US sanctioning cyber attackers

WASHINGTON (Reuters) – The United States will use sanctions against those behind cyber attacks that target transportation systems or the power grid, the White House said on Tuesday, citing Russia and China as increasingly assertive and sophisticated cyber operators.

The sanctions will be used “when the conditions are right and when actions will further U.S. policy,” White House counter terrorism adviser Lisa Monaco said in prepared remarks to a cyber security conference.

Monaco cited an “increasingly diverse and dangerous” global landscape in which Iran has launched denial-of-service attacks on U.S. banks and North Korea has shown it would conduct destructive attacks.

“To put it bluntly, we are in the midst of a revolution of the cyber threat – one that is growing more persistent, more diverse, more frequent and more dangerous every day,” she said.

The United States is working with other countries to adopt voluntary norms of responsible cyber behavior and work to reduce malicious activity, she said. At the same time, it will use an executive order authorizing sanctions against those who attack U.S. critical infrastructure.

Monaco introduced a new directive from President Barack Obama that establishes a “clear framework” to coordinate the government’s response to cyber incidents.

“It will help answer a question heard too often from corporations and citizens alike – ‘In the wake of an attack, who do I call for help?'” she said.

(Reporting by Doina Chiacu; Editing by Jonathan Oatis)

California power grid passes first heat wave test amid gas shortage

Lost Angeles skyline

(Reuters) – California’s power grid passed its first test of the summer with no rolling blackouts on Monday, when customers cranked up their air conditioners as temperatures soared into the triple-digits for the second consecutive day in some southern parts of the state.

The California Independent System Operator, which manages the state’s power grid, issued a so-called flex alert on Sunday, urging homes and businesses to conserve energy on Monday afternoon.

As consumers heeded that call and temperatures on Monday came in a little cooler than expected, the ISO cut its peak power demand projection for the day to 43,728 megawatts from 45,316 MW.

Monday’s alert was the first big test of power generators’ ability to meet heightened energy demands in the greater Los Angeles area without natural gas supplies normally furnished by the now-crippled Aliso Canyon. The storage field, California’s largest, has been effectively idled since a major well rupture there last autumn.

So far, the ISO has not issued another flex alert for Tuesday but said on its website it would be “helpful” if customers conserve energy.

With cooler temperatures expected for the rest of the week, the ISO forecast demand would peak at 42,581 MW on Tuesday and just 39,036 on Wednesday.

AccuWeather meteorologists forecast the mercury would reach 87 degrees Fahrenheit (31 Celsius) in Los Angeles on Tuesday before falling to a near-normal 82 degrees on Wednesday. They had exceeded 100 degrees on Monday.

With Aliso Canyon shut down, state regulators have warned that the Los Angeles area faces up to 14 days of gas shortages severe enough to trigger blackouts this summer.

Aliso Canyon, owned by Sempra Energy’s Southern California Gas Co unit, normally supplies the region’s 17 gas-fired power plants, hospitals, refineries and other key parts of the state’s economy.

(Reporting by Scott DiSavino; Editing by Lisa Von Ahn)

Heat wave tests Southern California’s power grid amid gas shortage

Thermometer sign reads 118 degrees, heat

By Steve Gorman and Nichola Groom

LOS ANGELES (Reuters) – California’s power grid operators warned homes and businesses on Monday to conserve electricity as rising demand for air conditioning stoked by a record-setting heat wave across the U.S. Southwest tested the region’s generating capacity.

The so-called Flex Alert was posted until 9 p.m. Pacific time during a second day of triple-digit temperatures that strained Southern California’s energy production, creating a potential for rolling blackouts on the first official day of summer.

But the peak hour for energy demand came and went Monday evening without disruption of the region’s power delivery network, the California Independent System Operator (ISO) reported.

“Since we’re past that and have not experienced any trouble, I think we’re headed into the safe zone,” agency spokeswoman Anne Gonzales told Reuters.

Temperatures were expected to begin abating on Tuesday, according to weather forecasts. As of Monday night, there were no plans to extend the Flex Alert, ISO officials said.

Monday’s alert was the first big test of power generators’ ability to meet heightened energy demands in the greater Los Angeles area without natural gas supplies normally furnished by the now-crippled Aliso Canyon gas storage field, effectively idled since a major well rupture there last fall.

The oven-like heat prompted the city of Los Angeles to keep its network of public “cooling centers” – libraries, recreation centers and senior centers – open for extended hours as a haven for people whose homes lack air conditioning.

Area home improvement and hardware merchants were doing a brisk business in fans and AC window units.

Brett Lopes, 31, a freelance lighting technician, stopped in a Home Depot outlet near downtown to buy supplies for a homemade air conditioner he called a “swamp cooler” to use while he waited for his landlord to repair his broken AC unit.

“It’s brutal,” he said of the heat, explaining that he looked up directions on YouTube for assembling the makeshift cooling device. “It doesn’t work as well as AC, but it’s better than sitting in 100 degrees.”

Others flocked to public swimming pools.

“It was really refreshing today, but more crowded than usual,” said Paul Stephens, 31, a pastor who was swimming laps at the Rose Bowl Aquatic Center in Pasadena, where the mercury climbed to 108 Fahrenheit (42 Celsius) .

BALANCING THE GRID

The ISO, which runs the state’s power grid, urged consumers on Monday to cut back on electricity usage, especially during late-afternoon hours.

Utility customers were advised to turn off unnecessary lights, set air conditioners to 78 degrees Fahrenheit or higher, and wait until after 9 p.m. to run major appliances, such as clothes washers and dryers.

Gonzales credited public cooperation with the flex alert for likely helping avert widespread outages on Monday.

Large stretches of three states sweltered in a second straight day of record, triple-digit temperatures, as the National Weather Service posted excessive-heat warnings through Wednesday for southern portions of California, Arizona and Nevada, though the hot spell appeared to have peaked on Monday.

Power customers ranging from homes and hospitals to oil refineries and airports are at risk of losing energy at some point this summer because a majority of electric-generating stations in California use gas as their primary fuel.

Since the energy crisis of 2000-2001, the ISO has imposed brief, rotating outages in 2004, 2005, 2010 and 2015, mostly related to unexpected transmission line or power plant failures during periods of unusually high demand.

With California’s largest natural gas storage field shut down indefinitely at Aliso Canyon, state regulators have warned that Los Angeles faces up to 14 days of gas shortages severe enough to trigger blackouts this summer.

Aliso Canyon, owned by Southern California Gas Co, a division of San Diego-based utility giant Sempra Energy, normally supplies the region’s 17 gas-fired power plants, hospitals, refineries and other key parts of California’s economy, including 21 million residents.

The gas leak there, ranking as the worst-ever accidental methane release in the United States, forced thousands of nearby residents from their homes for several months after it was detected last October. The leak was finally plugged in February.

(Reporting by Scott DiSavino in New York; Writing and additional reporting by Steve Gorman in Los Angeles; Editing by Leslie Adler and Andrew Hay)

California power grid prepares for heatwave, possible natgas shortage

By Scott DiSavino

(Reuters) – California will have its first test of plans to keep the lights on this summer following the shutdown of the key Aliso Canyon natural gas storage facility as temperatures in the Los Angeles area are forecast to hit triple digits this week.

With record-setting heat and air conditioning demand expected in Southern California, the state’s power grid operator issued a so-called “flex alert,” urging consumers to conserve energy to help prevent rotating power outages – which could occur regardless.

Electricity demand is expected to rise during the unseasonable heatwave on Monday and Tuesday, with forecast system-wide use expected to top 45,000 megawatts, said the California Independent System Operator (ISO), which manages electricity flow through the state. That compares with a peak demand of 47,358 MW last year and the all-time high of 50,270 MW set in July 2006.

That could put stress on the power grid, particularly with the shut-in of Aliso Canyon, following a massive leak at the underground storage facility in October. The facility, in the San Fernando Valley, is the second largest storage field in the western United States, according to federal data, and therefore crucial for power generation.

All customers, including homes, hospitals, oil refineries and airports are at risk of losing power at some point this summer because a majority of electric generating stations in California use gas as their primary fuel. In April, millions of electric customers in Southern California were warned they could suffer power outages on up to 14 days this summer due to the closure.

The ISO said it was working with gas and power utilities and state energy agencies to mitigate potential reliability issues related to the limited operations at Aliso Canyon.

“We are confident we have a strong plan in place to meet the operational challenges posed by the upcoming hot temperatures,” ISO CEO Steve Berberich said, adding that consumer conservation efforts would be key.

ROTATING OUTAGES

Since the energy crisis of 2000-2001, the ISO has imposed short rotating outages in 2004, 2005, 2010 and 2015, mostly related to unexpected transmission line or power plant outages during periods of unusually high demand.

Southern California Gas (SoCalGas), the nation’s biggest gas distribution utility and owner of Aliso Canyon, detected the leak in October and plugged it in February.

SoCalGas is a unit of California energy company Sempra Energy.

State regulators will not allow SoCalGas to inject fuel into the facility until the company inspects all of its 114 wells.

Aliso Canyon is the biggest of four SoCalGas storage fields. It provides service to the region’s 17 gas-fired power plants, hospitals, refineries, and other key parts of California’s economy.

In the summer (April through October), SoCalGas strives to completely fill 86.2-billion cubic feet (bcf) Aliso Canyon to prepare for the upcoming winter heating season when gas demand peaks.

State regulators, however, ordered the company in January to reduce the amount of working gas in Aliso Canyon to just 15 bcf and use that fuel to reduce the risk of gas curtailments and power interruptions this summer.

Unlike some other gas transmission systems that can store large amounts of so-called linepack gas in pipelines, like PG&E Corp in northern California, SoCalGas cannot function with only pipeline or storage supplies.

That makes storage fields much more critical for SoCalGas and the 21 million residents it supports.

SoCalGas uses Aliso Canyon to provide gas to power generators that cannot be met with pipeline flows alone on about 10 days per month during the summer, according to state agencies.

(Reporting by Scott DiSavino; Editing by Joseph Radford)

Canada hopes cooler weather aids battle with Alberta fire

Smoke and flames from the wildfires erupt behind cars on the highway near Fort McMurray

By Liz Hampton and Rod Nickel

LAC LA BICHE, Alberta (Reuters) – Canadian firefighters looked to cooler weather on Monday to help with their battle against the country’s most destructive wildfire in recent memory, as officials sought to gauge the damage to oil sands boomtown Fort McMurray.

The fire, which started on May 1, spread so quickly that the community’s 88,000 inhabitants barely had time to leave and whole neighborhoods were destroyed.

“This is great firefighting weather, we can really get in here and get a handle on this fire, and really get a death grip on it,” Alberta fire official Chad Morrison said on Sunday.

The wildfire scorching through Canada’s oil sands region in northeast Alberta had been expected to double in size on Sunday, but light rains and cooler temperatures helped hold it back.

The temperature, which reached a high of 17 C (63°F) on Sunday, was expected to cool further, with Environment Canada forecasting a 40 percent chance of showers in Fort McMurray on Monday.

Cooler temperatures around 10 C were expected through to Friday after last week’s record heat. Still, much of Alberta is tinder-box dry after a mild winter and warm spring.

Alberta’s government estimated on Sunday that the fire had consumed 161,000 hectares (395,000 acres).

Officials made clear it was too early to put a time line on getting thousands of evacuees camped out in nearby towns back to Fort McMurray soon, even if their homes are intact.

The city’s gas has been turned off, its power grid is damaged and the water is undrinkable.

Alberta Premier Rachel Notley said on Sunday recovery efforts had begun, with 250 employees from power company ATCO working to restore the power grid and assess gas infrastructure.

Fort McMurray is the center of Canada’s oil sands region. About half of the crude output from the sands, or 1 million barrels per day, has been taken offline, according to a Reuters estimate. Oil prices jumped almost 2 percent in trading early on Monday, as Canada’s fire contributed to tightening supply.[O/R] The inferno looks set to become the costliest natural disaster in Canada’s history. One analyst estimated insurance losses could exceed C$9 billion ($7 billion). Nearly all of Fort McMurray’s residents escaped the fire safely, although two people were killed in a car crash during the evacuation.

In his now regular evening message Fort McMurray fire chief Darby Allen on Sunday sent condolences to the families of the two teenage cousins in the crash. One of the victims, 15-year-old Emily Ryan, was the daughter of a fireman in the city.

Regional officials also said via Facebook that firefighters were getting their first break since the fire began a week ago after being relieved by reinforcements.

(With additional reporting by Nia Williams in Calgary; Writing by Jeffrey Hodgson; Editing by Richard Pullin)

Electricity supply gradually returns in Syria after massive outage

BEIRUT (Reuters) – Syria’s electricity supply was gradually returning after it was cut across the country on Thursday and Internet connections were briefly disrupted, state media said.

SANA news agency quoted the electricity minister saying that the network was returning and would be restored to its earlier capacity by midnight. It did not say what caused the cut.

It said earlier that the “electricity work has been cut in all governorates. Attempts to find the cause of the outage have begun.”

A Reuters witness confirmed that electricity had gone down in Damascus, and the Syrian Observatory for Human Rights, which monitors the five-year-old conflict in Syria, said that power had been cut in the “vast majority of governorates”.

SANA reported the Syria Telecommunications Company as saying Internet services were partially halted on Thursday “as a result of sudden damage to one of the network hubs”, but were later restored.

(Reporting by Lisa Barrington/Mariam Karouny; Editing by Dominic Evans)

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)