The following synopsis are paraphrased and anonymized for the protection of the utilities and their customers. These are real attacks that have happened since 2016 that were either reported or known to companies like us. The list has been kept to just 10. With these real-life examples, we have tried to show the type and size of utility does not matter. This can happen to any utility.
CUSTOMERS CHARGED FOR DIALING UTILITY’S CUSTOMER SERVICE:
The IP-based phone system of a Rural Electric Cooperative was hacked. The hackers programmed the IP based phone system such that every time a Co-op customer called the customer service lines, the phone system would call a 1-900 number charging the Co-op customer. This continued for 3 months until the local authorities figured it out and the Co-op fixed the issue. The Co-op had no clue they had been compromised.
FAKE TAX RETURNS FILED AFTER CITY’S W-2 FORMS HACKED: Municipality that has utilities, was hacked early in a year. The hackers got employee W-2 forms data out of their system. The hacker then filed false tax returns on behalf of the employees. The hack was not realized until the employees tried filing their own returns and the IRS told them their returns had already been filed. After this happened to several employees, it was discovered that this Municipality had been hacked and what was taken. The Municipality had no idea they had been hacked until a few months after the attack.
UNKNOWN CONNECTION TO RUSSIA FROM A NEW HVAC SYSTEM A Rural Electric Cooperative (Co-op) had just installed a new HVAC system at their Co-op. This Co-op has a sharp IT group and they noticed new outbound communications to an unknown IP address. They traced the activity back to the HVAC system and the IP address to Russia. They contacted the HVAC contractor who then contacted the manufacturer. The manufacturer was able to fix the issue. It appears that nothing was actually taken from the Co-op.
COMPROMISED INTERACTIVE VOICE RESPONSE (IVR) SYSTEM: A very large Municipality who provides power had their Interactive Voice Response system (IVR) hacked. Through the IVR, the hackers were able to get into databases at the Municipality and steal customer records. While this breach was reported, the details about it were squelched.
ATTACK AGAINST A SMALL MUNICIPAL UTILITY’S ADVANCED METERING INFRASTRUCTURE (AMI) SERVER: The city administrator for a small municipality stated that their AMI smart meter system has been a target of hackers. It all began with brute-force login attempts on the external interface of its AMI server. That was followed by outbound SSH connections and IRC traffic to IP addresses in China. According to the city official, they stated that it did not appear that anyone’s identity had been stolen.
UNSECURED AUTOMATIC METER READING (AMR) SYSTEM COST MUNICIPALITY OVER $2,000,000:
A Municipality was hacked via their Automatic Meter Reading (AMR) system. The hacker took over half of their customer records. This municipality several months earlier had decided not to deploy cybersecurity that would have cost them around $110,000.00 to install. Instead they had to pay over $2,000,000.00 to fix the hack. Several key managers and officials lost their jobs over this hack.
RURAL ELECTRIC COOPERATIVE KNOCKED OFF-LINE DUE TO CYBERATTACK ON CABLE TV COMPANY: A Rural Electric Cooperative (Co-op) contracted with a cellular company to use their cellular system as the communication network for their AMI, SCADA and cellular service to their field workforce. Unknown to the Co-op, that amount of data was taxing the cellular system so the cellular company contracted the backhaul to the local cable company (CATV). Thus, the communication path started cellular, jumped over to the CATV system and then back to cellular at the Co-op (without getting too technical). The CATV company was hit with a Distributed Denial of Service (DDoS) attack, which shut down the CATV communications. With the CATV communications out, the cellular service had an incomplete path so the Co-op lost communications with their AMI, their substations (SCADA) and their field forces. The attack on the CATV company knocked them off-line as well as the local Co-op.
JOINT ACTION AGENCY (JAA) HIT WITH TRICKY MALWARE: A power provider to a group of electric utilities had their VPN credentials duplicated. The issue presented itself as Malware that was writing to their servers’ hard drives and filling them. The JAA thought they had the issue fixed but it reappeared the next morning. The compromise persisted through several remediation attempts. The JAA contacted their cybersecurity monitoring vendor who did a deep dive into their cybersecurity and network logs and found nothing unusual. This vendor concluded that legitimate VPN credentials had been stolen and were being used. The vendor suggested the JAA change all the VPN user names and passwords thinking that would stop the issue. The issue stopped and the JAA implemented a new policy regarding VPNs. With help of their cybersecurity vendor, the JAA found that someone was using a legit log-in VPN id and password to access the system and put malware on the system daily.
WATER UTILITY HIT BY RANSOMWARE RE-BUILDING SYSTEMS: A water utility serving about 150,000 people was hit by a Trojan malware just after the massive destruction from Hurricane Florence. The IT department thought they had resolved the compromise, not knowing it was a delayed-action attack. Nine days after discovery, the Trojan deployed ransomware which encrypted files on anything connected to the network. The utility experienced capability degradation, as workers had to handle their work manually. The attacker demanded ransom, but the water utility decided not to pay the ransom. Instead, they rebuilt their databases and systems. Thankfully, the customer data was not compromised, and it did not affect the safety of the water supply.
MAJOR SOUTHERN MUNICIPAL CRIPPLED BY RANSOMWARE: One of the most recent Ransomeware attacks targeted a major Southern US City. The ransomware took down their police in-car terminals, the water billing, the real estate system, the court payments system and more. They were advised not to pay the $75,000.00 ransom since normally you have a 33% chance of getting a good key to unlock the files. “Experts” have been working to get all the systems back on-line and fixed. After 4 months and over $20,000,000.00 spent, they are still not totally back on-line. This city had a Vulnerability Assessment (VA) done and decided to wait a few years to implement all the VA recommendations, due to cost. This has proven to be a bad decision.