Utilities 'caught in the crosshairs' as US-Iran tensions rise; experts say domestic cyberattack likely

As tensions between the United States and Iran rise, observers say the Middle Eastern nation is likely considering a reprisal attack on critical domestic infrastructure — putting the utility sector square in the "crosshairs" of an international conflict.

The United States military last week killed Iran Maj. Gen. Qasem Soleimani with a drone strike, heightening tensions in the region. Cybersecurity experts say Iran wants to avoid a "shooting war" and over the years has developed its cyber capabilities to the point where an attack on several sectors is possible.

"The two most likely types of responses are an overseas terrorist attack or a domestic cyberattack. I think a domestic cyberattack is the most likely of all scenarios," Jamil Jaffer, vice president for strategy and partnerships at IronNet Cybersecurity, told Utility Dive.

Jaffer said Iran has for years been probing and studying several sectors, including the electric sector, oil and gas, financial services, healthcare and government.

"Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure are all caught in the crosshairs as of this moment."

Richard Henderson

Head of global threat intelligence, Lastline

"We know Iran has the capabilities to deliver destructive attacks. They have a strong set of capabilities," Jaffer said. "They are now very much a top-tier threat."

Iran's capabilities are not equal to the U.S. or Russia but are more along the lines of North Korea, according to experts. And the country has a history of taking action.

In 2016, Iran executed a cyberattack on a New York dam. Before that, in 2014, the nation levied a cyberattack on the Las Vegas Sands casino.

"There is ample evidence to suggest that Iranian-sponsored actors have invested considerable time and effort over the past several years to infiltrate the computer systems that control the critical infrastructure of the United States and its allies," PAS Global COO Mark Carrigan said in an email. "At some time these actors may leverage a successful infiltration to launch a cyber attack."

Richard Henderson, head of global threat intelligence at cybersecurity firm Lastline, said it is "almost a foregone conclusion that we will now see retaliatory cyber attacks on U.S. assets by Iran."

Industrial control systems (ICS) which help manage the electric grid's flow of power were identified as a potential weakness in a September assessment from the U.S. Government Accountability Office. An ICS attack was the cause of a major 2015 blackout in Ukraine, and experts say growing digital networks will exacerbate that risk.

Any organization with substantial ICS infrastructure "should be on high alert now for potential attacks," Henderson said. "Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure, are all caught in the crosshairs as of this moment."

But that said, Iran is likely to be cautious with its response.

"If Iran were to conduct a significantly crippling attack, you can imagine the response would be overwhelming," said Jaffer. "They would lose and it's not close. Iran knows that, and they don't want to engage in a shooting war with the U.S."

For that reason, experts say Iran may not target ICS and supervisory control and data acquisition systems directly; Henderson believes hackers may go after more traditional IT infrastructure.

"It would behoove organizations to send out immediate alerts to all employees to be extra vigilant in the coming weeks and months," Henderson said. "Iran has some very skilled and talented hackers, and they've made it clear many times in the past that they are not afraid to flex those muscles."

Utilities on high alert

Since the announcement of the U.S. targeted killing, top federal regulators and utilities have assured the public they're keeping tabs on possible grid threats and activity.

The Federal Energy Regulatory Commission (FERC) is working with the U.S. Department of Energy and the U.S. Department of Homeland Security to follow the situation.

"Ensuring the security of our nation’s facilities is a critical priority for FERC, particularly with rising global tensions," FERC Chairman Neil Chatterjee said in a statement. The commission "is monitoring the situation with Iran and we are in close coordination with our partners."

Meanwhile, several utility groups affirmed they will be working closely with the Electricity Subsector Coordinating Council (ESCC), the key link between the federal government and the electric industry.

“While there is no specific threat to electricity infrastructure at this time, given Iranian capabilities and the potential for retaliation, the electric power industry is closely coordinating across the industry," Scott Aaronson, vice president for security and preparedness for the Edison Electric Institute (EEI), said in a statement. The group, which represents investor-owned utilities (IOUs), also works with ESCC "to ensure vigilance and the ability to respond quickly should the situation evolve."

The American Public Power Association (APPA), which represents publicly-owned utilities, also said it is in close contact with the ESCC. "We are monitoring this situation and staying in close communication with our industry and government partners," the group said in a statement.

EEI is constantly sharing information to mitigate or thwart attacks, according to an official. Information sharing is a key way the utility monitors and protects itself from cyberattacks, and that extends beyond energy companies.

"There are strong benefits to engaging in collective defense efforts across the utility industry and with other critical sectors like financial services, oil and gas, healthcare, and the government,” Jaffer said.

Jaffer helped to write the original draft of the Cybersecurity Information Sharing Act, which was enacted in 2015 to improve security by facilitating collaboration between industry and the federal government.

“Sharing information in real-time and at machine-speed can allow companies of all sizes to identify new and unknown threats that might have gone unnoticed in a single environment," Jaffer said. He added this is vital because of differences in resources.

"In no other context other than cyber do we expect private companies, big and small, to defend against nation state attacks," he said. "Iran has nearly-unlimited resources compared with an IOU or public power utility."

All utilities must maintain minimum security standards set by the North American Electric Reliability Corporation (NERC). "Security threats are not new to our industry," NERC CEO and President Jim Robb told Utility Dive in a statement. "Adversaries continue to look for ways to exploit our interconnected system."

NERC and its Electricity Information Sharing and Analysis Center "remain engaged with industry and our government stakeholders to monitor the unfolding situation with Iran and share actionable information and insights," he said.

However, some cybersecurity experts expressed concern that smaller power providers lack the resources to be as well-defended as larger utilities.

"The IOUs have more human capital and financial resources to spend on cyber defense and, as a result, while they might be more prominent potential targets, they are also quite defended,” Jaffer said.