The SolarWinds hack testifies to the rising sophistication of digital threats confronting the North American electric grid. The incident began when malicious actors infiltrated a software update distribution channel used by the IT network management solutions provider for one of its products. The attackers then pushed out a malicious update along that compromised distribution channel to approximately 18,000 of the product’s users. A quarter of electric utilities on the North American power grid were among them, noted VOA News.
Once installed on a machine, the malware contacted to its command and control (C&C) server, allowing the campaign’s operators to hack their victims’ networks and perform follow-up attacks like installing additional malware payloads. Of the 18,000 victims affected in the incident, nearly 2,000 domains suffered a Sunburst malware infection. A third of those entities were electric utilities and other industrial organizations.
Law enforcement officials and security experts attributed the attack to Nobelium, a threat group sponsored by Russia. Acknowledging this fact, the SolarWinds supply chain attack builds on a long history of state-sponsored actors targeting electric utilities and causing blackouts along the way. One of the most well-known cases is when state actors believed to be from Russia targeted a Ukrainian substation and shut off power to 225,000 people for several hours, wrote Senate RPC. In the years that followed, digital actors associated with the Russian government targeted a Saudi Arabian petrochemical company and shut off safety systems as well as penetrated multiple critical infrastructure facilities in the United States.
Why Is This a Problem?
Many organizations along with other critical infrastructure sectors depend on electric power for their business, noted the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Without it, they might not be able to carry out their business. The ensuing disruption could threaten a host country’s national security and/or damage the global economy.
This possibility emphasizes the need for electric organizations to try to minimize the likelihood of a hack occurring in the first place. Here are some recommendations for how they can do that.
Patch Vulnerabilities on a Timely Basis
When it comes to preying on electric utilities and other organizations, threat actors often choose the path of least resistance. One of the ways they do that is by seeking to weaponize unpatched software vulnerabilities. Those weaknesses aren’t always recent discoveries, either. Many organizations don’t have a robust vulnerability management program in place; many security teams aren’t prioritizing and remediating bugs. This leaves organizations susceptible to vulnerabilities that are years if not decades old.
To protect themselves against vulnerability attacks, organizations need to scan their software components for known vulnerabilities and exploits. They can make sure they remain aware of new software flaws by signing up to receive alerts and advisories from CISA. They can also proactively search known vulnerabilities databases such as the MITRE Common Vulnerabilities and Exposure (CVE) notices for relevant bugs.
Cultivate OT Security Skills Within
The cybersecurity skills gap remains an ongoing problem—especially when it comes to organizations’ OT environments. An increase in responsibilities and network complexity is taxing OT security personnel, elevating burnout levels, and driving professionals from the industry. This is leaving electric utilities and their OT environments vulnerable to attack.
In response, organizations everywhere need to focus on cultivating their OT security skills.
“More effort will be needed to develop the OT Security skill pool,” explained Applied Risk and Ponemon in a joint study. “There is a growing demand for professionals with OT Security skills. These do not all need to be OT Security specialists, but OT Security needs to be embedded in the profiles of managers, engineers, operators, procurement specialists, and others. Workforce development will be one of the most important means of achieving this goal.”
Set up Early Warning Systems
Every electric utility wants to prevent malicious actors from infiltrating their systems. But regardless of the tools they have in place, they can’t prevent every attack attempt. That’s why they need to have early warning systems in place for automatically detecting anomalies that could be indicative of a security incident and for proactively alerting administrators of suspicious activity. These types of solutions can free infosec personnel from manually investigating threat alerts and wasting their time on false positives, wrote POWER Magazine. In doing so, they enable security professionals to focus on more meaningful job duties.
Mitigate Physical Security Risks
A computer isn’t the only means through which malicious actors can target electric utilities. Digital attackers can use a lack of appropriate safeguards to physically gain access to substations and other assets for the purpose of tampering with the electric grid. To prevent these types of threats, organizations need to combine physical security measures such as security cameras and fencing with security awareness training programs to deter physical attacks.
Conduct Risk Assessments
Electric organizations can’t protect themselves against digital threats if they don’t know the types of risks confronting them. Subsequently, they need to conduct risk assessments on an ongoing basis to evaluate their systems for potential vulnerabilities. They can then use the results of those assessments to drive their security planning and investments going forward.
Conduct Ethical Hacking Exercises
Finally, electric utilities need to realize that they can’t always uncover all their systems’ weaknesses on their own. That’s why they might consider staging an ethical hacking engagement. These exercises provide insight into how digital attackers can chain system vulnerabilities together for the purpose of infiltrating victims’ assets.
How Itegriti Can Help
Not all organizations can do all the above on their own. Not only that, but they can’t choose when or where they will be attacked. That’s why they need to be on the top of their security posture 24/7 and make sure there is a recovery plan set in place for when it happens.
With the help of Itegriti, organizations can get that level of coverage. Itegriti’s teams of security and compliance professionals can help organizations to patch their software weaknesses, cultivate their employees’ levels of security awareness, converge their digital and physical security efforts, as well as participate in pentests through managed offerings like vCISO and vCompliance.
Learn how Itegriti can help you to prevent a hack at your electric utility.