Cyber Hygiene for Public Utilities: Why to Take Action Now, and How
Security practices for public utilities need to be highlighted and improved.
Cyber Threats in the Public Utility Sector
A hacked power grid turning the lights out for millions, a dam being controlled by an adversary — these are the kinds of nightmare situations cybersecurity researchers often talk about in the context of cyber warfare or state-sponsored terrorism.
A coordinated national defense posture against that kind of attack is beyond the scope of your average municipal public utility’s IT department. But what if attacks on infrastructure come to bear at a smaller scale, with less dramatic motivations?
Most attacks we see at Corvus are financially motivated. Ransomware has become the clear leader among methods used by hackers to extract money from victims. We also see some cases of disgruntled employees or ex-employees making mischief with IT systems, and some purely accidental shutdowns. While these types of actions might not rise to the level of a national security threat if they were to hit a local utility provider, for any community directly affected they would be no less devastating.
That’s why security practices for public utilities need to be highlighted and improved: not only to defend against a potential “Cyber Pearl Harbor” — but also to ensure that utilities and other critical infrastructure don’t become the next big opportunity in the eyes of cyber criminals such as ransomware operators.
We are offering to help any public utility to ensure its security hygiene is up to date. We provide cybersecurity scans, also known as attack surface mapping, to all of our policyholders regularly, and have helped many of them take steps to reduce risk. Any employee of a public utility in the U.S. can now get this report for their organization for free, no strings attached — click here to submit a request.
Why Utilities, Why Now?
A highly publicized intrusion of a water utility in the city of Oldsmar, Florida this month has raised attention to issues facing utilities. The intruder in this case didn’t try to get money from the organization — their motivation is still unknown, and quite frankly they may not have “intruded” at all (it could be an insider who decided to take this dangerous action). Either way, the initial incursion appeared to be easily accomplished by the actor, and despite the failure to poison the water supply (both because the intruder was caught, and because of some fail-safes that were built into the system) the attack didn’t require any novel hacking skills.
As we’ve witnessed throughout the rise of ransomware over the past few years, cyber criminals will leverage any information that leads them to easier and bigger payoffs; who doesn’t like easy? An organization that’s easy to break into, has the financial backing of a government, and would face major backlash and attention if it were forced to shut down operations — that fits the criteria. Public utilities need to be vigilant.
There is also (because there always is!) a Covid-19 angle. As we reported early on in the pandemic, the influx of remote work and the use of remote access technologies created new risks for businesses. Utilities are no different. They use industrial control system technologies known as “SCADA” systems to monitor and control machinery, and use digital interfaces that enable human administrators to access and manipulate the systems. Remote access into these kinds of industrial control systems are typically closed-network systems that are not intended to communicate with the internet. But the shift to remote work has accelerated the use of technologies to allow for remote monitoring and administration.
In the Oldsmar case, a series of failures of cyber hygiene relating to remote access enabled the intrusion:
Remote access was enabled on one PC via the TeamViewer software application — the machine in question was an old PC running a 32bit version of the Windows 7 operating system that is no longer supported and past its useful life
No firewall was turned on or configured
The administrative team using the PC for remote access shared the same identity/password for TeamViewer admin access
From the sharing of passwords we can also infer that multi-factor authentication was not in place to further secure access to TeamViewer
This is just one specific case and we can’t assume we’d find the same exact set of circumstances elsewhere. But there are over 150,000 water utilities in the United States. Within such a large group we can safely assume there will be a wide range of adherence to cybersecurity best practices — odds are there are many other Oldsmars out there. And copycat hackers may already be trying to find them.
Corvus’s security scan looks at any organization the way an adversary does — poking around the outside of the system for any soft spots. The intruder, if they were an outsider, couldn’t have known that the team shared passwords, but they could spot an open port tied to a remote access technology (in this case, TeamViewer’s port 5938) that is visible to the web rather than protected by a VPN or firewall. From there, they can get started on a number of tactics to break in. If they were an insider, that’s a different story — some accounts have pointed out that the attacker knew exactly how to use the control system. But measures Corvus recommends would help secure systems against insider threats as well, with better credential management making anonymous, untraceable actions less likely.
The report that Corvus delivers identifies things like risky open ports as well as the usage (or non-usage) of email security tools, and much more. It’s not equivalent to a complete security audit by a professional who can look inside and out, but it can identify all of the things that would attract the attention of a hacker. If you work for a public utility or are an insurance broker with utilities clients, we encourage you to take advantage of a free scan.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.