Ransomware is “the foremost widespread cybersecurity threat impacting industrial organizations worldwide,” Abdulrahman Alamri, senior adversary hunter at Dragos, wrote in an April blog post analyzing global cybersecurity incidents in the first quarter. But the electric sector was relatively unscathed, notching just a single incident, compared with more than 100 attacks on the manufacturing sector.
Utility Dive reached out to Alamri to ask about the disparity: Is the electric sector better protected than others, and is there a risk of complacency among utilities?
To some extent, the difference in attack numbers has to do with the size of the industries, Alamri said in an email. Since manufacturing is the largest industrial sector “by number of entities,” it reports the highest numbers of incidents, Alamri said. Ransomware groups are “generally opportunistic and financially motivated, aiming their attacks at entities where they perceive the greatest opportunity to achieve their goals,” he said.
Since the start of 2023, Dragos has observed a rise in ransomware attacks “leading to operational disruptions in numerous industrial organizations,” he said. The organization, which monitors the activities of ransomware groups, including their postings on dark web leak sites, is aware of “many instances” where ransomware operators achieved some level of disruption to operational technology when an attack on an information technology environment “prompts an organization to shut down elements of OT environments as a precautionary measure,” he said.
That type of disruption occurrred in 2021 when Colonial Pipeline was shut down following a ransomware attack. The ransomware never migrated into the pipeline’s OT environment, but the company shut down operations as a proactive safety measure, leading to disruptions in gasoline and jet fuel deliveries along the East Coast.
The manufacturing, transportation and industrial control systems equipment and engineering sectors accounted for about 90% of first quarter incidents around the world, according to Dragos. The oil and gas sector experienced eight incidents, or about 4% of attacks. The mining, communications, electric and renewable energy sectors each had two or less attacks, according to the cybersecurity firm.
NERC CIP rules help protect electric sector
The electric power sector has security rules and best practices in place that have helped to create a culture of security, Alamri said.
The Critical Infrastructure Protection standards managed by the North American Electric Reliability Corp. “do not directly address ransomware as a separate risk,” Alamri said. However, “many of the policies, procedures and technologies that organizations have had to implement related to different NERC CIP standards do assist electric sector organizations in preventing their exposure to ransomware.”
In particular, utility personnel are trained on NERC CIP-005, which focuses on electronic security perimeters, and CIP-007, which covers systems security management, Alamri said, noting that those rules “emphasize both network and system security in ways that are commonly described as best practices for preventing malware, specifically ransomware.”
NERC and the Federal Energy Regulatory Commission are evaluating new standards, including CIP-015 on internal network security monitoring and the inclusion of virtualization in many of the revisions to other CIP standards, Alamri added.
“Outside of the existing work processes currently being undertaken by the CIP drafting teams, it is unlikely that additional rules and regulations are necessary at this time other than normal revisions,” he said.
Matt Calligan, director of growth markets at ArmorText, said the utility sector doesn’t necessarily need more rules but “what’s lacking is clarity on the application of those rules and how the overlapping requirements of the various regulations often put utilities in a Catch-22.”
Calligan pointed to questions regarding whether utilities can use cloud-based systems. NERC’s rules require grid asset owners to have certain control of the devices operating their software and cloud computing makes that difficult.
“So you have utilities going the forgiveness-vs-permission route so they can utilize the latest cloud-based technologies, and other utilities who have taken a hard ‘no CIP data in the cloud’ stance until things are clarified,” Calligan said. The situation is “forcing many departments into older technologies that might be approaching end of life.”
For organizations that are not subject to NERC CIP, “additional rules may be warranted,” Alamri said. The National Association of Regulatory Utility Commissioners is working on cybersecurity guidance and in February it published a set of cybersecurity baselines with the U.S. Department of Energy aimed at improving the security of distribution systems and distributed energy resources.
NARUC has “taken many of the experiences and requirements from NERC CIP and incorporated them into their appropriate guidance documents around cybersecurity,” he said.
Ransomware can ‘spill over’ into OT environments
Ransomware is “certainly one of the most significant and most prolific ongoing threats to utilities/energy organizations,” Alamri said. While ransomware is not typically designed to target an organization’s operational technology, ransomware adversaries “are increasingly adopting [industrial control system]-specific process kill lists, demonstrating the ability to stop industrial processes in the OT environment,” he said.
Dragos is aware of a ransomware incident that impacted a U.S energy company where the attacker “successfully traversed the enterprise into the OT environment,” Alamri said. However, it is possible that “the adversary did not explicitly target the OT environment and that successful navigation was incidental.”
About three-quarters of cyberattacks impacting the OT environment originate on the IT side, said Stellar Cyber founder and Chief Technical Officer Aimei Wei.
“They spill over from IT to OT, so our view here is that people really need one solution that can affect both. … You gain visibility into both environments, and are able to find and detect that lateral movement from IT to OT,” she said. The attacks are “really difficult to prevent” and so it is important to “catch the early signs.”
Utilities often “air-gap” OT environments from IT, but this leads to its own set of challenges, Calligan said.
“I know many teams in major utilities who have two different colored screens on their desks, one connected to OT and one connected to IT — this really isn’t scalable and isolation can breed ossified thinking,” he said. “The blending of OT and IT is inevitable as more and more on the OT side becomes digitally enabled and controlled. This requires dialogue and cooperation between both sides of the house around tools and strategies to create resiliency.”
Utilities must guard against complacency
With relatively few ransomware attacks impacting electric utilities’ operations, relative to other sectors, is there a danger of complacency?
Calligan suggested that treating manufacturing as one large industry for OT cyber activity while breaking other industries into subcategories “could lead to misguided conclusions” and make utilities look more secure than they are.
Complacency and a false sense of security can arise when incidents are infrequent or appear less severe compared to other sectors, Alamri said. “However, given recent high profile cyber attacks to critical infrastructure, we would not call utilities complacent,” he said. “Last year, the Dragos team saw a 104% growth in the number of tabletop exercises we conducted with customers in the electric industry. Ransomware remains the most common scenario selected.”
It would be a mistake for utilities to get complacent on security, particularly heading into the election, said Steve Garrison, senior vice president of marketing for Stellar Cyber. It is good that utilities have avoided most ransomware attempts recently but “we don’t think that short-term trend is all that meaningful.”
Ransomware attackers have also been hitting the healthcare sector recently. which could account for a decline in utility attacks, according to Wei. “Attackers might be focusing their efforts on a particular sector at certain point of time,” she said.
“There’s going to be a lot of interesting things that happened during the election this year,” and cyberattacks are among the top threats utilities are watching for, Garrison said.