Three small Northwest utilities were among more than a dozen hit by recent cyberattacks targeting small electric utilities. While none of the attacks apparently succeeded, they highlight two of the weakest links in the industry's cybersecurity defenses: small, resource-strapped electric utilities and employees.
Two of the utilities—Cowlitz County PUD and Flathead Electric Cooperative—told Clearing Up they found no evidence the attacks had breached their defenses. They were unaware of the attacks until the FBI notified them. The third utility, Klickitat PUD, did not reply to requests for comment.
At least 17 entities in the utility sector were targeted by what appears to have been a state-sponsored hacking campaign carried out between April and August, according to Proofpoint, a Silicon Valley cybersecurity firm that identified the activity.
In general, the hackers performed reconnaissance on utility firewalls looking for weaknesses and later sent employees emails containing malware, which Proofpoint dubbed "Lookback." It is not clear if all entities were hit by both.
Hackers appear to have probed Cowlitz to find a chink in its cyberattack defenses. The utility did not find any evidence it received any infected emails, Cliff Hammons, the PUD's information technology manager, said in an interview.
The apparent lack of success did not appear to deter the hackers, Proofpoint reported on its website in September. Indeed, the firm noted, the hackers' efforts were marked by a "persistent focus on critical infrastructure providers in the United States."
Utility firewalls are routinely probed for weaknesses or digital doors left open by automated programs. Snohomish County PUD gets about 190,000 such hits a day, said Kevin Johnston, the utility's head of cybersecurity.
Foreign nations, notably China, Iran, North Korea and Russia, pose a very real threat to the U.S. power grid. In 2015 and 2016, state-backed hackers in Russia repeatedly, albeit briefly, cut power to parts of Ukraine. So far, there is no evidence a U.S. utility has been successfully hacked by a foreign adversary. However, a so-called cyberevent in early March disrupted grid operations in parts of California, Utah and Wyoming, according to the U.S. Department of Energy's Electric Emergency Incident and Disturbance Report.
The report's public version only contains a vague description of the March 5 disruption as a "cyberevent that causes interruptions of electrical system operations." It did not cause any power outages, according to the report.
DOE's definition of a cyberevent is broad enough that the March event could have been caused by an employee or a local actor, as well as a foreign hacker.
On Aug. 24, a Washington utility experienced a "cyberevent that could potentially impact electric power system adequacy or reliability," according to the DOE report. The report ascribes the event to "suspicious activity." Again, it did not lead to any outages.
So far, those are the only two cyberevents of 243 disruptions through October reported to DOE.
The source of cyberattacks is not limited to state actors, though. Criminals looking to poach financial information and "hacktivists" such as the group Anonymous regularly test utilities' defenses, said SnoPUD's Johnston. The utility has become a regional leader in cybersecurity.
Cyberthreats are constantly evolving, so utilities can never relax.
"Any organization that thinks it is [completely secure], they might be proficient, but they probably also are getting lucky," Johnston said.
Employees are just as critical to cybersecurity as technological defenses. That means utilities must have robust training regimens for all employees.
One phase of the Lookback campaign sent fraudulent emails to utility engineers telling them they had failed a licensing exam. The emails appeared to come from the U.S. National Council of Examiners for Engineering and Surveying. Recipients were told to open an attached Microsoft Word document for instructions on what to do next. Opening the document, though, would infect the user's computer with the Lookback malware, which would give the hackers the ability to view the infected computer, run commands, delete files, move and operate the cursor, and reboot the machine, among other functions.
Phishing emails often hit recipients with a one-two combo threatening bad consequences with a false urgency. They tell the recipient something bad will happen—unless they immediately follow steps presented by the sender, Johnston said.
The Lookback campaign used a tactic called spear-phishing, which targets specific individuals. In this case, it threatened engineers with losing credentials.
Another tactic is called whaling, which goes after big targets, such as executives.
Many utilities, including Snohomish and Cowlitz, use outside vendors to phish their own employees as a training exercise.
"You'd be surprised how many people take the bait," but "that's better than taking the bait from China," Johnston said.
Utilities can be divided into two categories based on what they do with the results of such internal training, he said. "They can put a draconian, dark face on this" and punish employees who take the bait.
He said he knows of at least one utility in the region that ties whether an employee took the bait to performance evaluations.
"Now you're making people scared for their jobs," he said.
The other approach is to say "we are all [imperfectly] human," and employees need to work together to keep a system safe, Johnston said.
More cybersecurity training for state commissioners is a priority for National Association of Regulatory Utility Commissioners' newly elected president, Brandon Presley.
Gaps in training, resources and technology must be identified and closed, he said during his first speech as president at the association's annual meeting in November.
Cybersecurity is one of a handful of issues he plans to advance during his one-year term as NARUC president.
"We have many commissioners who have not gone through the one-day classified cybersecurity training" which NARUC provides in partnership with FERC and members of the federal government's intelligence community, he told Utility Dive.
Cyberthreats are growing in quantity and quality. Furthermore, complying with NERC standards and conducting required audits is becoming increasingly costly for many utilities, potentially straining cybersecurity budgets, Cowlitz' Hammons said.
"For this reason, utility CEOs, general managers, and commissioners must be open to larger budgets dedicated to strengthening security posture," he said.
During his 20 years at Cowlitz, "I've never been turned down when asking for money for cybersecurity," he said.
Even so, budget increases can be challenging for smaller entities, especially "when you need additional bodies," Hammons said.
Cowlitz's 2020 budget includes adding one more person for the information technology staff. Hammons said he did not want the total number of IT personnel revealed, for security reasons.
Smart grid technology and the "internet of things" mean the number of potential entryways for hackers is growing exponentially.
Advanced meters have many benefits for utilities and customers, such as the ability to remotely connect or disconnect service, Hammons noted. "Although these systems have encryption capabilities, if somehow remote disconnect commands were sent to thousands or millions of meters," it could wreak havoc.
Cowlitz is currently shopping for an advanced meter system, and cybersecurity is a key criteria, he said.
The surge of new and increasingly connected technology could prompt new security standards from federal regulators. However, in a commentary piece published by Fortune in October, FERC Chairman Neil Chatterjee said cyberthreats cannot be kept at bay by "simply piling on more mandatory standards."
Every utility and industry entity must be "clear-eyed about cybersecurity threats" and not rely on yesterday's success to guarantee tomorrow's safety, he said. "Our adversaries will not rest. Neither can we."