19 February 2021
Nathan Smolenski

Cyber Hygiene for Public Utilities – Why Take Action Now, and How

building graphics

A hacked power grid turning the lights out for millions, a dam being controlled by an adversary — these are the kinds of nightmare situations cybersecurity researchers often talk about in the context of cyber warfare or state-sponsored terrorism. 

A coordinated national defense posture against that kind of attack is beyond the scope of your average municipal public utility’s IT department. But what if attacks on infrastructure come to bear at a smaller scale, with less dramatic motivations? 

Most attacks we see at Corvus are financially motivated. Ransomware has become the clear leader among methods used by hackers to extract money from victims. We also see some cases of disgruntled employees or ex-employees making mischief with IT systems, and some purely accidental shutdowns. While these types of actions might not rise to the level of a national security threat if they were to hit a local utility provider, for any community directly affected they would be no less devastating. 

That’s why security practices for public utilities need to be highlighted and improved: not only to defend against a potential “Cyber Pearl Harbor” — but also to ensure that utilities and other critical infrastructure don’t become the next big opportunity in the eyes of cyber criminals such as ransomware operators. 

We are offering to help any public utility to ensure its security hygiene is up to date. We provide cybersecurity scans, also known as attack surface mapping, to all of our policyholders regularly, and have helped many of them take steps to reduce risk. Any employee of a public utility in the U.S. can now get this report for their organization for free, no strings attached — click here to submit a request.

Why Utilities, Why Now?

A highly publicized intrusion of a water utility in the city of Oldsmar, Florida this month has raised attention to issues facing utilities. The intruder in this case didn’t try to get money from the organization — their motivation is still unknown, and quite frankly they may not have “intruded” at all (it could be an insider who decided to take this dangerous action). Either way, the initial incursion appeared to be easily accomplished by the actor, and despite the failure to poison the water supply (both because the intruder was caught, and because of some fail-safes that were built into the system) the attack didn’t require any novel hacking skills. 

As we’ve witnessed throughout the rise of ransomware over the past few years, cyber criminals will leverage any information that leads them to easier and bigger payoffs; who doesn’t like easy? An organization that’s easy to break into, has the financial backing of a government, and would face major backlash and attention if it were forced to shut down operations — that fits the criteria. Public utilities need to be vigilant.

There is also (because there always is!) a Covid-19 angle. As we reported early on in the pandemic, the influx of remote work and the use of remote access technologies created new risks for businesses. Utilities are no different. They use industrial control system technologies known as “SCADA” systems to monitor and control machinery, and use digital interfaces that enable human administrators to access and manipulate the systems. Remote access into these kinds of industrial control systems are typically closed-network systems that are not intended to communicate with the internet. But the shift to remote work has accelerated the use of technologies to allow for remote monitoring and administration. 

In the Oldsmar case, a series of failures of cyber hygiene relating to remote access enabled the intrusion: 

  • Remote access was enabled on one PC via the TeamViewer software application — the machine in question  was an old PC running a 32bit version of the Windows 7 operating system that is no longer supported and past its useful life

  • No firewall was turned on or configured

  • The administrative team using the PC for remote access shared the same identity/password for TeamViewer admin access 

  • From the sharing of passwords we can also infer that multi-factor authentication was not in place to further secure access to TeamViewer

This is just one specific case and we can’t assume we’d find the same exact set of circumstances elsewhere. But there are over 150,000 water utilities in the United States. Within such a large group we can safely assume there will be a wide range of adherence to cybersecurity best practices — odds are there are many other Oldsmars out there. And copycat hackers may already be trying to find them. 

Corvus’s security scan looks at any organization the way an adversary does — poking around the outside of the system for any soft spots. The intruder, if they were an outsider, couldn’t have known that the team shared passwords, but they could spot an open port tied to a remote access technology (in this case, TeamViewer’s port 5938) that is visible to the web rather than protected by a VPN or firewall. From there, they can get started on a number of tactics to break in. If they were an insider, that’s a different story — some accounts have pointed out that the attacker knew exactly how to use the control system. But measures Corvus recommends would help secure systems against insider threats as well, with better credential management making anonymous, untraceable actions less likely.    

The report that Corvus delivers identifies things like risky open ports as well as the usage (or non-usage) of email security tools, and much more. It’s not equivalent to a complete security audit by a professional who can look inside and out, but it can identify all of the things that would attract the attention of a hacker. If you work for a public utility or are an insurance broker with utilities clients, we encourage you to take advantage of a free scan.

Ransomware Risk Score Thumbnail

(Re) Building a Ransomware Risk Score for the Future

One of the latest additions to the Corvus Smart Cyber policy is the Ransomware Risk Score. In this post we’re going to break down how this score works from a data science perspective to show behind the scenes how scores like this are generated.

Read Now

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video