Reports of high profile cyber attacks on banks, insurance companies, large retailers, the military, and more are all over the media. In response, these institutions have dedicated great resources to harden their cyber defenses. While still targets, these major institutions are increasingly difficult to penetrate. So where are hackers turning their sights?
On softer, more malleable targets. Targets that have a large attack surface, the perceived ability to pay ransom, and are managed by officials fearful of community disruption and embarrassment if their databases are compromised. Which organizations carry this profile? Public power utilities and their associated municipality.
What is the Attack Surface?
The Attack Surface represents the exposure points for an entity. The diagram below helps to illustrate the many ways and places an attack can occur.
A growing attack surface associated with new technologies and persistent attack threats makes utilities vulnerable.
The large Attack Surface coupled with the fact that a majority of municipal utilities have fewer resources to protect their systems make them a hot target. Moreover, many of the smaller utilities may have become complacent, assuming they are too small to attract a cyber criminal’s attention, or have difficulty mustering the manpower for self-defense. Yet, if one follows the press closely, one will see a multitude of smaller utilities being targeted today. It does not matter what services they offer: electric, gas, water, or a combination. All are targets.
What Does an Attack Look Like, and What Happens?
The typical Chronology of an Attack:
After an attack, if someone is holding your data for ransom, you face a hard choice: pay the criminals or pay to rebuild the system. In a recent case, a municipal utility had its information system seized and the hackers presented two options: pay hundreds of thousands of dollars in ransom or spend more than $1 million in new software, computers, and setup. A devil’s choice, to say the least.
Governments and business alike are being targeted this way by the thousands. Virtually every municipal utility official knows of someone near to them who has been hit.
Types of Cyber Attacks
- Phishing – Phishing is the practice of sending a communication by e-mail, telephone, or text message that appears to come from a reputable source but is not. The goal is to entice an individual to send sensitive information or to install malware on a target computer. Phishing is the number one threat today.
- Malware – Malware is a word used to describe a variety malicious software. This includes viruses, spyware, ransomware, and worms. Malware breaks through a network vulnerability point. Most often this happens when a user clicks on a dangerous link or email attachment that installs dangerous software. Once inside the system, the malware can block access or hold for ransom vital network elements or information. It can install additional suspect software (ransomware). It can overtly obtain information by transmitting data from a hard or network drive (spyware), or it can compromise certain components and render a system inoperable.
- Man-in-the-Middle – These attacks are sometimes referred to as “eavesdropping attacks.” They occur when an infiltrator inserts themselves into the middle of a two-party transaction. Once the communications traffic is interrupted, they can sift the data for sensitive information and records. An example is: A Wi-Fi attacker can place themselves between a visitor’s device and the network. The visitor’s device passes their information through the infiltrator. Another example can happen after malware has already breached a computer or network. The assailant may then install software to scan and steal a victim’s data or information.
- Denial-of-Service – This type of attack floods a system, it’s servers, and network with massive traffic. This exhausts resources and bandwidth. As a result, the system is unable to conduct legitimate traffic. The services that can be affected include email, websites, online accounts, and other services that rely on the affected computer or network.
- SQL Database Injection – SQL stands for ‘Structured Query Language.’ It is used to communicate with computer and network databases. This type of attack inserts malicious code into a server that uses an SQL type database which can cause a server to reveal information it normally would not. An attacker could carry out a SQL injection simply by submitting malicious code in vulnerable website search box. It can be used to attack data-driven applications, in which a statement is inserted into an entry field for execution (e.g. to dump the database contents). This technique exploits some sort of software security vulnerability.
Other types of attacks include “zero-day” attacks where an attack is launched the same day a vulnerability is found, or Trojan Horses that look like useful, helpful, software that appears routine. For example, a popup window may appear like one’s own virus software saying an action must be taken. Other types include Brute-force or Birthday attacks, Password attacks, Eavesdropping attacks, cross-site scripts and more.
Is the Utility Industry Really a Target?
According to the results of a 2017 study by AIG, the answer is yes:
The Power and Energy field is high on the list. Over the last several years, the number of Utilities being hit has been steadily increasing.
Earlier this year, The Hill reported that “Cybersecurity risks to utilities’ systems increased in 2018, with more intrusions into those networks and malware that infected those systems.”
As reported in a July 2019 article in Security Boulevard entitled Local Governments Targeted by Global Cybercrime Syndicates, cyber criminals are now focused on city and regional governments:
“The large amounts of sensitive data handled by local governments make them a valuable target. Cybercriminals also know that local governments and their residents can’t afford to let critical systems remain shut down in the event of a ransomware attack. Courts, transportation, public utilities, traffic, social services – all come under the local umbrella.”
In a recent Electric Light & Power article entitled How vulnerable is the U.S. electric grid this summer, the authors say, “The short answer to the question in the title is that every sector of the U.S. electric grid should not worry about a major attack this summer. They should be prepared for one occurring any time.” They explained the best course of action is:
“implementing cybersecurity programs with technical and administrative controls supported by management buy-in, periodic site-specific risk assessments, basic cyber hygiene, backup and disaster recovery plans, cyber incident remediation plans, change management, cyber incident insurance, and training for personnel. On the technical side, preparations include defense-in-depth architectures including ISA/IEC 62443, ICS aware firewalls, network monitoring and visibility, and patch management.”
In a July 2019 interview on National Public Radio, Richard Clarke, former U.S. counterterrorism coordinator and co-author of The Fifth Domain: Defending our Country, our Companies, and Ourselves in the Age of Cyber Threat, said:
The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They’re not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies – the companies that are successful at this – are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.
With Utilities like Mine as Targets, What can I do?
Don’t be idle. Accept that your utility’s networks and information systems represent a target-rich environment but understand that cyber safety is within your reach. Make sure someone on your staff is actively working on cybersecurity and reports to senior management. Work hard to allocate sufficient cyber funding. Work with your Municipality for an overall end-to-end cyber security program. And turn to experts that understand both utility cyber vulnerabilities and the structure of public power.
Hometown Connections can help. We partner with some of the best cybersecurity providers in the public power space. This includes Utility Security Consulting by AESI-US, Inc. and Utility Cyber Liability Insurance by Marsh Wortham Power Gen Insurance. These partners can provide critical threat mitigation. For those who have questions, please get in touch.
For more information, send an email to firstname.lastname@example.org.