How Vulnerable Are America’s Utilities?

4 March 2021

Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure.

But this attack came as no surprise to security experts. It was not the first evidence that a utilities company had been compromised. As Brian Krebs wrote,for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all.”

Krebs goes on to note that security researchers have often shared evidence of their ability to access what are commonly known as, industrial control systems (ICS), which allow for human beings to remotely interact with the systems that monitor critical infrastructures. If an ICS were compromised, the fallout could be catastrophic. But the reality of the risk to ICS was known long before Florida made headlines.

In 2009, the Federal Energy Regulatory Commission (FERC) approved the first version of the Critical Infrastructure Protection (CIP) reliability standards. More recently, in May 2020, in recognition of the gravity of the risk to health and human safety and the American economy, President Trump signed Executive Order 13920, Securing The United States Bulk-Power System. The new administration is continuing to focus on mitigating supply chain risk, with President Biden signing another Executive Order directing federal agencies to review supply chain security risks across industry.

Targeting the Supply Chains

In response to the Executive Order, Idaho National Laboratory (INL) offered guidance on how to counter threats from adversaries and mitigate the risk of corruption in the supply chain. INL wrote, “Vendors have far better knowledge of the subcontractors who contribute to their products and their compliance with supply chain risk management (SCRM) standards.”

Yet data from Prevailion’s Apex Report shows that supply chains pose one of the greatest risks to unsuspecting enterprises across all sectors, including utilities. These are more than potential threats identified by security researchers. The report reveals evidence of compromise in a major US electric utility targeted by multiple APTs, backdoors in Midwest utilities as well as another infected Florida water district and a Massachusetts utility company. In most cases, the attackers targeted vulnerabilities in the supply chain

Prevailion has also seen long-running compromise activity in a major industrial provider that supplies the power grid, and the 2020 Apex Report underscores risks in the Oil and Gas Industry. The findings point to, “evidence of compromise within every major component of the Oil and Gas Global Supply Chain.” It’s worth noting that Idaho National Laboratory asserts, “DOE and its intelligence community (IC) partners can and should routinely provide additional data on equipment and adversary efforts to penetrate supply chains and clarify how adversaries are likely to conduct supply chain-based attacks in the future,” but Prevailion’s analysis shows that far too often partners don’t have visibility into attacks on their downline partners and vendors.

Leading industrial provider which supplies the US power grid shows long-running compromise activity. (Source: APEX)

Risk from Ransomware

In November 2020, Americold was reportedly the victim of a ransomware attack, shedding yet another light on the threat to critical infrastructure given the impact this attack had on cold storage warehouse chains across the US as the country raced to roll out the Covid-19 vaccine. In truth, it’s rare that malware has been used to successfully attack ICS; however, there’s ample evidence that attacking an organization with ransomware is quite commonplace. 

Still ICS is not impervious to a ransomware attack. Wired recently reported that security researchers have discovered, “a malware sample has surfaced that uses specific knowledge of control systems to target them with a far blunter, and more familiar, tactic: Kill the target’s software processes, encrypt the underlying data, and hold it hostage.”

Because there is no one attack vector that is the sole threat to American utilities, there is no single solution to protecting critical infrastructure. These are complex systems that require a comprehensive security strategy. That strategy has to be informed by reliable, actionable threat intelligence and it must provide visibility into what is happening throughout the supply chain.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.