Powering Strong Communities
Security

Cybersecurity Wake-Up Call: Lessons from an Attack on a Small Utility

Like What You Are Reading?

Please take a few minutes to let us know what type of industry news and information is most meaningful to you, what topics you’re interested in, and how you prefer to access this information.

Nick Lawler was sitting in his office on a Friday afternoon the week before Thanksgiving 2023 when he got a call that sounded like a scam: The caller said he was from the FBI, and the Littleton Electric Light and Water Department was identified as one of about 200 critical infrastructure entities that were victims of cyber espionage from the Volt Typhoon hacking network from China. Further, the caller was asking Lawler to click on a link sent to his personal email address.

Doing his due diligence, Lawler took down the name of the agent and called the local field office directly. Even after that conversation, Lawler still wasn’t convinced the situation was real. But when Monday morning rolled around, several federal agents — from the FBI and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency — showed up to his office to start investigating the extent of the breach.

Other than the out-of-the-blue nature of the alert, Lawler’s skepticism stemmed from Littleton being a utility that served a small town in Massachusetts that doesn’t operate any generating assets and isn’t part of the bulk electric system. He didn’t understand why such a utility would be a priority for the federal government, or why it would offer services and resources to the utility for no cost.

TEA Ad

Fortunately, LELWD had been in the process of installing sensors on its operational technology through a cooperative agreement between the American Public Power Association and the Department of Energy.

Lawler said the sensors had been in place for about a month or two before he got the call about the attack. Lawler’s His first call after the agents left was to Adrienne Lotto, APPA’s senior vice president of grid security, to assess the significance of the situation. The sensors helped LELWD confirm the extent of the malicious activity on the system and pinpoint when and where the attackers were going on the utility’s networks.

“That’s when it became real for us,” noted Lawler.

He said the partnership with federal officials truly began after seeing the activity logs and having the reality of the situation set in.

Still, getting the partnership in motion didn’t offer immediate peace of mind. DHS officials wanted to continue to monitor the criminal behavior to get more insight into the strategy and tactics being deployed, and this left LELWD’s networks vulnerable for about another month.

Some of the key vulnerabilities for LELWD at the time included a patch for a firewall that a managed security provider had not completed, a flat network structure that allowed those with administrative credentials to access the entire network, and not regularly updating passwords for key systems.

Littleton rebuilt its network from scratch, with help from experts at CISA, to have key aspects isolated from each other.

“As a small utility, we don’t have that type of staff to build that network,” said Lawler. “Everyone we dealt with from DHS and CISA were extremely well versed in the field.”

Now a year later, Lawler gets some reassurance from the updated network architecture, security measures, and continuous monitoring that the event has not resulted in any negative consequences for the utility or the community it serves. But, he said, the incident also underscored that there are always actions utility leaders can take to stay on top of threats.

LELWD worked again with CISA to have it conduct a penetration test and vulnerability scan, which are free services the agency offers to utilities. He said such assessments can help utilities understand what systems and processes need to be shaped out or improved — or even to have an idea of where to start and understand where the threats are.

“It is hard to talk about … our issues and vulnerabilities,” said Lawler. “But if we don’t, then we aren’t learning from each other.”

Lawler also advises utility leaders to form relationships with key players who can help, such as representatives from a regional FBI office, before an incident occurs, so they don’t have an experience similar to his.

“We were able to verify them within the week, but if those relationships had already existed, we would have been able to react even quicker,” he added.

Despite the array of free services offered through various federal agencies, Lawler noted the importance of allocating resources to cybersecurity. He advises utilities to start by setting aside funding for a vulnerability assessment, which he said will help to develop the appropriate budget to target the most critical areas.

“Until you know what your risks are, it’s hard to do anything.”

 


10 Ways to Be More Cybersecure

  1. Maintain an asset inventory.
  2. Segment informational technology and operational technology networks.
  3. Regularly change passwords, including default passwords on key accounts.
  4. Implement a vulnerability management plan.
  5. Employ multifactor authentication for remote access.
  6. Regularly train all employees on cybersecurity.
  7. Sign up to receive alerts from the Electricity Information Sharing and Analysis Center.
  8. Build relationships with state, regional, and national law enforcement.
  9. Sign up for cyber mutual assistance.
  10. Join APPA’s Cybersecurity Defense Community.

Through the Cyber Pathways Program, APPA members can receive cybersecurity training for their staff. Email [email protected] for more information.

NEW Topics