Persistent cyber threats are creating a critical challenge to America’s power grid.
Last year, utilities saw thousands of suspicious cyber events every day, according to the August 2021 report.
Ransomware attacks jumped 170%, supply chain issues rose 118%, vulnerability issues climbed 156%, and suspicious activity rose 111%, according to NERC, which oversees mandatory reliability standards for bulk power system providers in the U.S. and Canada. Vendors also reported more vulnerabilities and cybersecurity concerns registered at the portal of E-ISAC (the Electricity Information Sharing and Analysis Center) jumped 96%.
“The types of threats that we’re seeing, the persistence of the threats, number of attack vectors, the more distributed nature of the system that increase the attack vectors—all of those have increased,” John Moura, director of reliability assessment and performance analysis at NERC, told reporters at a briefing last week. “Unlike other risks, these are more difficult to manage because we’re talking about threat actors.” The surge in remote working caused by the pandemic increased the utility attack space for hackers during 2020 and created a backdrop for the surge in both cyber incidents and anxiety in the industry. In addition, while hackers used familiar strategies, like phishing, malware, and ransomware, they increasingly targeted supply chains, said NERC, citing the SolarWinds supply chain breach as an illustration of the “extraordinary capability and persistence of adversaries.”
The watchdog’s findings are ominous for the future of the utility industry. In April, hackers amply demonstrated their prowess in breaching energy companies with the Colonial Pipeline ransomware attack. And with only a few months left in 2021, the attack space of utilities remains enlarged with no sign of diminishing, thanks to ongoing remote work.
Among the cyber incidents registered by utilities in 2020, certain trends and types of attack caught the eye of NERC. According to the report, ransomware is shifting from generic phishing campaigns to a search for “higher value targets” like third-party organizations, such as managed service providers. For an example of this type of cyberbreach, look no further than the supply chain attack on U.S.-based software firm Kaseya in July.
Ransom distributed denial-of-service (RDDoS) attacks also rang alarm bells. According to NERC, hackers last year targeted thousands of organizations globally, demanding bitcoin payments to prevent a DDoS. While utilities were able to mitigate the effect of the assault, the “pervasiveness and potential impact” of the attack were a concern, NERC said.
Critical vulnerabilities were another worry. Companies have become increasingly dependent on network security products, such as perimeter firewalls and virtual private network appliances, in order to manage remote working. As these appliances have become widespread, so too have vulnerabilities that could allow attackers to gain access to systems.
While it’s easy to be alarmed at the inroads hackers have made in the utility industry, the vulnerabilities that cybercriminals are trying to exploit—like weaknesses in cyber hygiene and lack of visibility over supply chains—are familiar ones and can be addressed.
Unlike other risks, these are more difficult to manage because we’re talking about threat actors.
NERC stresses the need to review and improve cyber hygiene strategies. Ideally, this means ensuring that software is up-to-date, patch management operations are responsive and timely, internet-facing devices are correctly configured, admin rights are strictly controlled, passwords are strong and regularly updated, and a policy of zero trust is implemented for network access. Platforms like Tanium’s can help utility companies of all sizes monitor endpoints and keep up with the devices and software that have proliferated in a remote workforce.
NERC emphasizes the ongoing need for employees to be vigilant about spear phishing. The watchdog also says security teams must be alert to hackers recruiting their employees and vendors. Utilities should thoroughly assess turnkey contracts, which are common in the sector and can be an enduring security risk throughout the entire lifecycle of an infrastructure.
A key defense for the utility industry as a whole is sharing information in real time to alert potential targets about threats. Fortunately, the industry is responding—even smaller utilities, which fall outside the watchdog’s purview. Based on the ongoing feedback it’s getting, E-ISAC is starting to pilot projects aimed at enhancing visibility in key operational technology systems, as well as in IT networks.
A piece of good news from NERC’s report is that none of the cyber incidents last year resulted in a loss of load on the nation’s grid. However, the surge in hacker attacks on security perimeters, combined with the enlarged remote networks that utilities will be running for the foreseeable future, means that NERC’s findings are a wake-up call the industry cannot ignore.