Presenters at a webinar hosted by SERC Reliability on Wednesday warned utilities that ransomware is a much bigger threat than many of them realize, and major efforts are still needed to make operational technology and information technology assets safe from infection.
“It’s a global thing. It just affects every industry and anyone who is connected to the internet from an enterprise perspective,” Etinnie Burnett, a Critical Infrastructure Protection (CIP) auditor at SERC, said in his presentation on ransomware at the regional entity’s 2023 CIP Spring Security Webinar. “Whether it be OT [or] IT, this affects you in the way we look at how we reduce that risk. It’s an overarching thing; it’s not just a piece of a pie; it’s the whole pie.”
Burnett cited recently released data from cybersecurity firm Dragos that it tracked 605 ransomware attacks against industrial organizations worldwide in 2022, nearly double what it saw the year before. About 41% of those incidents affected organizations in North America. (See Dragos: Cyber Landscape Remained Volatile in 2022.)
While just 29 of last year’s ransomware attacks targeted the energy sector, Burnett said utilities should take the threat seriously, because even a single successful intrusion can cause major disruptions. He pointed to the Colonial Pipeline breach of 2021, which caused the nearly weeklong shutdown of a major fuel supply network and led to a regional emergency declaration affecting 17 states and D.C., saying the case illustrates that companies can suffer even when an intrusion only directly impacts a company’s IT network, rather than the OT environment that directly manipulates its physical tools. (See Biden Directs Federal Cybersecurity Overhaul.)
Burnett also highlighted the Black Basta cyber gang, a suspected offshoot of the Conti and REvil groups that breached Chicago-based construction and engineering firm Sargent & Lundy last October. Sargent & Lundy has significant interaction with the bulk power system; the description of its work on its website mentions “electrical grid modernization, renewable energy, energy storage, nuclear power and fossil fuels.”
The firm’s notification of the breach, released in December, said the hackers are known to have accessed the names and Social Security numbers of “over 6,900 individuals.” Burnett said this exposure could easily put business connections of the firm at risk, showing how “it’s not always the entity; it’s who the entity does business with. How are [they] protecting my data as well?”
Burnett then pointed to a paper from 2016 surveying electric utilities on the effect of NERC’s CIP standards. While the standards are intended to address cyber and physical security risks, Burnett noted that many respondents held an ambivalent view on them, citing concerns such as the difficulty of NERC’s deliberative standards development process keeping pace with the rapidly changing cybersecurity landscape.
While Burnett acknowledged these fears, he said they should serve as a catalyst to utilities to build cybersecurity programs that go beyond the bare minimum requirements of the CIP standards. He urged utility leadership to recognize that “there’s no [one] standard that I can speak to that is going to solve this problem.”
“Every standard is a key part of reducing the ransomware [threat], and cybersecurity [must be viewed] as a threat in the larger context,” Burnett said. “So we cannot be single-minded — we can’t think, ‘We’re just in our little bubble, and this is my part of the process, and this is their part of the process. The silo mentality, when it comes to ransomware, is risky, because … we won’t catch [those risks] until after the fact.”