The past year has seen a rise in the number of cyber attacks on utilities around the world. Most recently, more than a dozen utilities in the United States were hit by a phishing email attack that targeted critical infrastructure in their vicinity.
According to a recent report by the Wall Street Journal, these attacks, which were exposed by a cybersecurity company in August, are ongoing and under investigation by the FBI. The report indicates that while the targeted utilities are relatively small, they are located near dams, locks and other critical infrastructure.
The objective of the cyber attack was for hackers to gain the ability to control employee computers and steal information. In order to achieve this, the hackers sent phishing emails to the employees to get them to install malware onto the utility’s computers.
As part of the investigation, the FBI helped the targeted electricity providers scan their computer networks to see if their firewalls had been probed. They also examined whether emails containing malware had been sent to their employees.
The utilities targeted were located in 18 states, spread around the country. They include Cloverland Electric Cooperative in Michigan, Klickitat Public Utility District in Washington, and Basin Electric Power Cooperative in North Dakota.
Each of the identified utilities was located next to critical infrastructure which would have led to devastating consequences if compromised. For example, the Michigan utility was near the Sault Ste. Marie Locks, which is an important point in iron ore transportation to U.S. steel mills. Similarly, the Washington utility is situated by both major federal dams and transmission lines that funnel hydroelectricity to California.
Some believe utilities are not watching their networks close enough to protect them from such attacks. Pete Tseronis is the former chief technology officer for the U.S. Department of Energy and Department of Education. At an October meeting convened by the Control System Cyber Security Association International in Washington D.C. Tseronis said the cybersecurity risk facing control systems for electricity, water or public transit is often higher than that of fully digital systems operated by local governments.
“What’s in it for [chief information officers and CTOs] is that this is about mitigating risk to somebody’s life, whether they’re in a car, drinking water or in a pool,” Tseronis said. “…Know what’s in your environment, what you support, and just because it works, just because the light switch is on, doesn’t mean it’s the safest and most eloquent way of providing electricity.”
Dave Jordan, the former chief information security officer of Arlington County, Virginia, was also critical of the way utilities often handle cybersecurity. He said agency officials are often more concerned with service delivery than cybersecurity risk and called for changes to the way security is prioritized.
“Basically, everybody has a cybersecurity component in their job. I don’t care what your job is,” Jordan said. “If everybody thinks about cyber in their work, that’s going to reduce the cost.”
Utilities might be failing to appropriately secure themselves and the critical infrastructure tied to them because they don’t understand their value to hackers.
In 2016, the National Institute of Standards and Technology released a report looking at security fatigue. According to the report, typical computer users experience security fatigue that often leads users to risky computing behavior at work and in their personal lives. Additionally, many participants in the study didn’t understand why they would be targeted by hackers.