As it became clear that the Department of Energy was part of the ongoing SolarWinds hack, it prompted concern among industry and government security experts that the nation’s critical infrastructure, including the electric grid, nuclear systems and power plants might have been compromised.
The DOE formally confirmed the hackers' tentacles had reached into the agency, noting that the malware injected had been isolated to its business networks and hadn't impacted mission-critical national security functions of the National Nuclear Security Administration (NNSA) and other departments.
Nonethless, security experts warn of the long-term implications of the breach.
“This could be a more concerning situation in which Russia isn’t revealing all their cards to ensure long-term access into networks that house some of our nation’s most sensitive data and potentially to conduct significantly more problematic operations,” said Jamil Jaffer, former senior counsel to the House Intelligence Committee, currently serves as senior vice president for strategy, partnerships and corporate development at IronNet. He believes the hack is mainly an intelligence collection operation with no evidence that data had been deleted, destroyed, manipulated or modified, but cautioned the U.S. shouldn't drop its guard.
The Nuclear Regulatory Commission (NRC) has been working collaboratively with the Department of Homeland Security (DHS) and CISA to analyze federal assets that potentially could have been involved in the reported incidents, according to a spokesperson. To date, the agency has not identified any breaches or compromises.
DOE said once it identified the vulnerable software, it took immediate action to mitigate the risk and disconnected from its network all software identified as vulnerable to the SolarWinds attack.
While not enough is known about the motivations of the attackers, Tobias Whitney, vice president of energy security solutions at Fortress Information Security, said the government’s response that hackers only hit business systems misses an important point: Once the attackers gain visibility into the IT network via SolarWinds it gives them a path to the OT network.
“So they can understand protocols, spoof IP addresses and focus attacks on OT-related tools,” Whitney explained. “And if they gain admin, network and ultimately system access, they can start launching attacks on critical infrastructure.”
Whitney said the SolarWinds attack was like the warning shot: “And now it’s our time to respond. I think moving forward we will be able to see these indicators of compromise as they evolve. People will be looking for them now.”
Companies responsible for critical infrastructure should respond by assuming they have been infiltrated and enact their emergency response procedures, beginning with identifying all instances of SolarWinds software and implementing the remediation strategies recommended by the vendor, according to Mark Carrigan, chief operating officer at PAS Global. Even if a company doesn’t run SolarWinds, he said, there are preliminary indicators that other techniques were used to gain access to corporate networks, so companies should assume they have been compromised and respond accordingly.
“Critical infrastructure companies should remain concerned that any information collected by the attackers could be used in the future to launch attacks to disrupt their operations,” Carrigan said. “Once companies have completed their incident response, they should revisit their cybersecurity strategy to address this new threat to their business.”
Just how the U.S. plans to respond remains unclear, as the White House has been mum on the hack, much to the chagrin of leading lawmakers like Sen. Mark Warner, D-Va., and Sen. Mitt Romney, R-Utah.
Warner called for an engaged and public response by the U.S. government, led by a president who understands the significance of the intrusion and can actively marshal a domestic remediation strategy and an international response.
“As we learn about the wider impact of this malign effort – with the potential for wider compromise of critical global technology vendors and their products – it is essential that we see an organized and concerted federal response,” Warner, vice chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, said in a statement. “It is extremely troubling that the president does not appear to be acknowledging, much less acting upon, the gravity of this situation.”
But Jaffer, who calls the hack "very good espionage" rather than an "act of war," doesn't believe "a massive retaliatory response is warranted or appropriate." Rather, "we need to both respond in an appropriate manner, as we would to a massive espionage effort and make clear that we would respond much more aggressively to any efforts by Russia to conduct more offensive operations, including data manipulation or destruction.”
He's not surprised that the Energy Department took a hit and said the U.S. would infiltrate a rival country's government systems if it could. “If we could access Russia or China’s nuclear programs and information, we would,” Jaffer said. “Therefore, we shouldn’t be surprised that the National Nuclear Security Administration is being added to the no-longer exclusive list of targets that have been compromised via the recent SolarWinds vulnerabilities."