Several years ago, the superintendent of a small public power utility in the Midwest was going through a usual routine of catching up on emails. He clicked on an email about invoices, and before he could take in all the information about the email, his screen went red. The utility was soon locked out of its accounting and billing systems, and an attacker was demanding $300 for the utility to regain access to its data.
Fortunately, the utility had backups of all its data on tapes stored in a fireproof vault and did not suffer any data loss or compromise from the incident. Plus, the technology related to system operations was not accessible from remote locations, and it was distinct from the utility’s informational technology systems, so there were no service or operational interruptions as a result of the event.
However, it did take five business days to fully restore the data and caused extra work for the utility staff, including working with the Federal Bureau of Investigation, Department of Homeland Security, and several state-level agencies to try and determine where the attack originated.
“It was a warning shot fired across the bow,” said the utility’s current superintendent in an interview. (The utility requested to remain anonymous in this article.)
He mentioned that while the measures that had been in place saved the utility and its customers from a more serious outcome, the event spurred the utility to become more proactive on cybersecurity and in replacing equipment more frequently.
The wake-up call came at a time when ransomware was less sophisticated — the malware attached to the email merely encrypted the utility servers, but the attackers did not actually access utility information or customer data.
Now, attackers are often trying to access sensitive company information and customer data to demand higher ransoms. Even though experts recommend that victims do not pay ransoms to cyber criminals, a report from the Institute for Security and Technology estimated that victims of ransomware paid an average of $312,000 in 2020, and that overall these payments were up four-fold from 2019, shelling out about $350 million total.
Attackers also took advantage of the increased usage of and rapid switch to remote connections during the COVID-19 pandemic, with reports from various security software estimating anywhere from more than double to five times the number of ransomware attacks in 2020 compared to 2019.
Nick Lawler, general manager of the Littleton Electric Light and Water Departments in Massachusetts, stressed the need for utility leaders to take this increased threat to heart. He noted that while utility leaders are often aware of cyber threats in the aggregate, it can be easy to backburner cyber risk management while focusing on solving more immediate, tangible problems for the utility.
“It’s really a cultural change in how we perceive threats to our industry,” said Lawler, who believes cultural change and appreciation of the risk of cyber threats needs to come from the top.
As the Midwestern utility that faced the ransomware attack years ago can attest, any utility or organization can be attacked.
“The larger or more sophisticated a utility is, the more exposed it is to different types of attack, but being smaller doesn’t mean you aren’t a target,” Lawler said. “People talk about not having SCADA systems or systems that control their distribution equipment, but it doesn’t need to be a sophisticated attack. A ransomware attack can happen to anybody.”
He noted how recent attacks on other types of critical infrastructure systems have drawn national attention. Even a minor but successful attack on a small system could bring a flood of questions from national news outlets.
“We want to be in the papers to show why we’re relevant and why public power is great for the community we serve — and being in there for a negative reason does not help our cause,” noted Lawler.
A real threat
Lawler recalled how the attack on Ukraine’s electric grid at the end of 2015 made the threat of a cyberattack feel “real” to many electric utilities — and it hit home how simple changes, like strengthening passwords, can make a difference.
Lawler offered a number of steps that utilities can take to keep their cyber risk management programs up to date, such as training and testing employees to spot and avoid phishing attempts; assessing infrastructure for any vulnerabilities; and sharing information with utility peers.
The Midwestern utility that experienced the ransomware attack took several similar steps. When the utility’s current superintendent came into his role (a few years after the attack), he enrolled the utility in a service that sends simulated phishing emails to employees. He didn’t tell any of the employees about the service, and he was pleased that after the first email went out — which was meant to look like it came from the superintendent — he received a few calls from employees asking if the email was legitimate.
He also said that making moves to simplify and update the utility’s servers and software programs has helped reduce the amount of spam employees receive, making it easier for employees to assess for potential threats.
“It’s really easy, if you’re 40 emails behind, to not look at who sent it before opening,” he said.
Investing in defense
Even for a small utility, getting information technology updated can mean a big expense.
Previously, the Midwestern utility had been using computers and other equipment for business needs that were a bit out of date. After the cyberattack, it switched from a part-time IT provider to a full-service vendor.
“It was a rude awakening in how much money you have to invest in this,” recalled the superintendent.
He said that the first two years of transitioning to the new vendor and approach were expensive, largely due to the volume of equipment that needed to be replaced right away.
“It was not just to have the newest, latest thing; it was because some of the older devices weren’t properly supported anymore,” said the superintendent.
He noted that the utility previously took a “least cost” approach, which means it had gotten behind the curve on where it should have been.
“Once we got there, it was just a matter of keeping the ball moving down the road,” he said. He estimates that the utility now spends about five times the annual budget on IT that it did before the attack. The added cost comes not only from equipment and enhanced services, but also from increased prices over time.
“It’s one of those expenses that 15 years ago wasn’t a big thing, but now it’s a lot of money. But it is a cheap defense … if it prevents something from happening, [it is] still cheaper than what it would cost if you were compromised.”
The utility now benefits from getting more information in real time about threats or necessary updates, as well as more redundancy in data backup.
Even with all the enhancements on the back end, the superintendent stressed that investing in people to know how to remain vigilant is key.
“If [a phishing email] made it through the firewalls, through that screening process … they are the last line of defense before it gets opened,” he said, crediting his staff for being diligent at taking a careful look at emails before opening them.
Lawler echoed the sentiment about staff training and shared that his utility uses a similar third-party service to simulate phishing emails as a way to test employees. He said that when the utility first started running the tests, a handful of employees would routinely fail. Now, several years later, he can’t recall the last time there was a fail. And the service changes up its approaches to mimic the latest tactics used by hackers.
Staying ahead of threats is also about continual learning and connection.
Both Lawler and the Midwestern utility’s superintendent receive alerts from the Electricity Information Sharing and Analysis Center and the Multi-State Information Sharing and Analysis Center.
The superintendent also participated in cybersecurity training through the American Public Power Association’s Academy. “For those of us [for whom] IT is not our specialty, it is good to have the training that can bring it down to our level,” he said. “I could take it back and feed it to our IT company to make sure we were meeting some specific requirements.”
Lawler takes part in APPA’s Cybersecurity Defense Community, which he said offers public power professionals with opportunities to collaborate on cybersecurity challenges and discuss related topics of interest.
Even outside of the community, Lawler pointed out that there are additional opportunities for public power utilities to coordinate to avoid getting overwhelmed while managing cyber risk. “Any policy I create could be tweaked and utilized across other systems,” he said. “If we work together, it’s not that big of a lift, but if we try and do it all by ourselves, then it is.”
Lawler also stressed the importance of maintaining good relationships with local law enforcement and emergency personnel.
“The better the connections, the better prepared you will be to handle an event after it happens — whether that’s after a hurricane or another event,” said Lawler. He shared how, in Massachusetts, a state agency holds briefings and mock events that allow utility leaders and others to get a view into what kind of threats other agencies are seeing and how they are mitigating various cyber risks.
As for the utility that previously experienced the ransomware attack, the superintendent remains cautiously optimistic.
“I feel good where we are now, but I don’t ever feel 100% safe,” he said.
Increase your cyber know-how
The American Public Power Association has several guides to help public power utilities create and enhance their cyber risk management programs.
- Know where you are: Axio360 for Public Power
- Plan your journey: Public Power Cybersecurity Roadmap
- Establish a program: Cybersecurity Essentials
- Respond to an event: Public Power Cyber Incident Response Playbook
- Strengthen your supply chain: Cyber Supply Chain Risk Management
- Join the Cybersecurity Defense Community: [email protected]