Nation's Power Grid Ripe for Ransomware, Other Cyberattacks
There are unique challenges to securing power companies.
![Power Transformer Workers Power Transformer Workers](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltb61f0233d5af5d2d/6524535b9df25f7c31f22244/Power-Workers.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Are there specific challenges to securing energy?
NCC Group’s Damon Small: There are three big parts to energy when you’re talking about the power grid. There’s power generation, and those are the power plants that actually create the electricity. Then there’s transmission. That’s how you get the power from the plant to wherever it’s going. And that can go across great distances, across state lines. And then lastly, there’s the distribution grid, which actually gets it from the last mile into the home or business that’s consuming the electricity. So each of those broad steps along the way have unique challenges to them.
Physical security is still important, but attacks can be launched remotely across the internet. So that’s not necessarily particular to energy, but that’s definitely unique in the industrial control systems space.
But one thing that is somewhat particular to energy is there are very often one or more third parties that are involved in operating the plant. That means the producer doesn’t necessarily have complete control over all the equipment that’s running inside that plant. The perimeter keeps moving outward further away from the organization. And that boundary that protects the organization from the outside world gets thinner and thinner.
Channel Futures: Is the convergence of OT and IT creating new cyber risks?
NCC Group’s Damon Small: The convergence has completely changed the threat landscape. The IT network is the traditional business network. Twenty or so years ago, the IT network never communicated with the OT network at all. OT includes the control systems, the process control network itself and data systems, and so forth. So as it turns out, there’s a lot of business value that can be gained by sharing operational information with the IT folks, so we started interconnecting OT and IT.
Now that we’re starting to share more information between those two environments, and we’re necessarily connecting them together, that means it is possible to move from the business network in IT down to the OT network where all the process control stuff is. That means whoever is running the plant is no longer only worried about the physical facility that’s generating all the power. They also have to worry about the entire network infrastructure up to and including whatever interconnect they have with the broader internet. So it is a huge, huge change to the threat landscape for sure.
Channel Futures: What do energy companies need to be doing that they’re not doing to minimize risk?
NCC Group’s Damon Small: They need to realize that their control systems are no longer only within the four walls of their facility and they have to be protected that way. If you make a business decision to use remote access software, that’s fine. But make sure you implement it in such a way that it would be prohibitively difficult for a bad guy to gain access to it. And that means specifically no shared usernames and passwords, and implement some sort of multifactor authentication (MFA).
In addition, have your own teams onsite that know the business, your environment and the particular intricacies of your infrastructure. And work with third parties to get an objective point of view and accounting.
Channel Futures: Can MSSPs and other cybersecurity providers help with energy security?
NCC Group’s Damon Small: Yes, they can help. A good MSSP will have 24/7 availability and they’ll monitor these things for you. It goes back to who can do it more efficiently, a power company or a business that exists to provide that service. I have clients that are very large oil and gas companies, and they have very sophisticated security teams, but MSSPs can help.
REvil ransomware operators are demanding Apple pay a ransom to avoid having confidential information leaked on the dark web.
According to The Record, the REvil gang says it has Apple product data after breaching Quanta Computer. It’s a Taiwanese company that assembles official Apple products based on pre-supplied product designs and schematics.
In a message posted on a dark web portal, the REvil gang said Quanta refused to pay to get its stolen data back. As a result, they’re instead going after Apple, the company’s primary customer.
Anurag Gurtu is chief product officer at StrikeReady.
“Sodinokibi aka REvil is a ransomware that uses a wide range of tactics to distribute the ransomware and earn a commission,” he said. “It is aimed at English-speaking users. It also exploited vulnerabilities in remote services such as Oracle WebLogic. People believed that it had relations with GandCrab and uses code of Pony, RedOctober and Vidar. Sodinokibi has 41 active affiliates. Each affiliate’s version of Sodinokibi gets customized with a unique ID so that they can receive payments.”
Sodinokibi affiliates keep 60% of every ransom payment, rising to 70% after they book three successful ransom payments, Gurtu said. The remaining 30-40% gets remitted to the actor or actors behind Sodinokibi.
Deep Instinct has raised $100 million in Series D funding. The funding round was led by funds and accounts managed from BlackRock, with participation from Untitled Investments, The Tudor Group, and more.
Deep Instinct protects customers across North America, Europe and APAC, with enterprise customers tripling in the last year.
Guy Caspi is Deep Instinct’s CEO.
“This new injection of $100 million will double our investment to date, which allows us to expand in many different areas,” he said. “As for our partners, the additional funding will support our plans for R&D to help organizations and MSSPs autonomously process and analyze all information coming from their security stack, in addition to our aggressive growth strategy, which will include a significant channel expansion in North America.”
There will be a “huge effort” in building out a channel organization that can work with established industry names, security boutique consultancies and MSSPs, Caspi said.
“A key part of this will be the launch of an entirely new and comprehensive partner program designed to maximize the value to our channel in integrating Deep Instinct within their security stack,” he said.
Up to 35% of the funds will go toward further building out the company’s deep learning framework in areas such as advanced analytics and the expansion of cloud services, among others, Caspi said.
“As a result of this, our partners will be able to offer the only end-to-end deep learning platform for cybersecurity in the world, delivering the lowest false positives and the highest level of prevention,” he said. “In alignment with this, we have set an aggressive goal to provide new capabilities and solutions for customers and partners every six months.”
Rapid7‘s latest acquisition is Velociraptor, an open-source technology and community used for endpoint monitoring, digital forensics and incident response.
Through this acquisition, Rapid7 will continue to build the Velociraptor community, and leverage its technology and insights to enhance Rapid7’s incident response capabilities.
Velociraptor was developed for digital forensics and incident response (DFIR) professionals who need a way to hunt for and monitor malicious activities across endpoints.
Lauren Whitehouse is Rapid7’s vice president of detection and response.
“Velociraptor is a free, open-source project and community,” she said. “Since it’s not a commercial offering, there’s no reselling opportunity for the partner community. If a partner has an MSSP practice, they may benefit from using Velociraptor in their managed security services offering. If the partner is a Rapid7 channel partner, [there’s] the integration of Velociraptor technology in the Rapid7 portfolio, specifically for Rapid7’s current MDR offering and, later, InsightIDR.”
Velociraptor engages its community of security professionals in knowledge-sharing and contributions to the open source project, Whitehouse said. Partners can participate in the community to advance their skills, provide feedback and make contributions.
Rapid7‘s latest acquisition is Velociraptor, an open-source technology and community used for endpoint monitoring, digital forensics and incident response.
Through this acquisition, Rapid7 will continue to build the Velociraptor community, and leverage its technology and insights to enhance Rapid7’s incident response capabilities.
Velociraptor was developed for digital forensics and incident response (DFIR) professionals who need a way to hunt for and monitor malicious activities across endpoints.
Lauren Whitehouse is Rapid7’s vice president of detection and response.
“Velociraptor is a free, open-source project and community,” she said. “Since it’s not a commercial offering, there’s no reselling opportunity for the partner community. If a partner has an MSSP practice, they may benefit from using Velociraptor in their managed security services offering. If the partner is a Rapid7 channel partner, [there’s] the integration of Velociraptor technology in the Rapid7 portfolio, specifically for Rapid7’s current MDR offering and, later, InsightIDR.”
Velociraptor engages its community of security professionals in knowledge-sharing and contributions to the open source project, Whitehouse said. Partners can participate in the community to advance their skills, provide feedback and make contributions.
This week, the Biden administration launched a 100-day plan to strengthen the cybersecurity of the nation’s power grid.
The administration wants to increase the cybersecurity of electric utilities’ industrial control systems and secure the sector’s supply chain.
At the same time, the U.S. Department of Energy issued a request for information to enable the electricity sector and other bodies to provide input on future recommendations for supply chain security.
This follows a water supply hack in Oldsmar, Florida, that could have poisoned that city’s drinking water. Someone remotely accessed a computer for the city’s water treatment system. They then briefly increased the amount of sodium hydroxide, aka lye, by a factor of more than 100.
NCC Group’s Damon Small
Damon Small is an energy cybersecurity expert and consultant at NCC Group. It’s one of the largest security consultancies in the world with 15,000 clients and 35 global offices. He said we’re likely to see more power grid attacks in the coming months.
The goal of cyber terrorism is to “mess up people’s lives,” he said. And if you want to disrupt a lot of people, you start attacking energy companies — energy producers specifically.
Remote Access a Growing Problem
In a Q&A with Channel Futures, Small talks about why energy production is an increasing target for cybercriminals.
Channel Futures: What are the main cyber threats facing the power grid today? Are there examples of recent attacks?
Damon Small: Within the last couple of years, ransomware has been a big problem. That’s when some sort of malicious software gets on a device and makes the information on the device unavailable until they pay. Remote access is causing a problem. The ability to move malicious software onto an industrial control system didn’t used to exist. The ability for a malicious user to do some sort of cyber network-based attack wasn’t really possible until some things happened in the last several years. Ransomware is kind of indiscriminate. So if you’re vulnerable, you might get hit. But targeted, even state-sponsored attacks, are something that I would tell energy producers to worry about.
CF: What sort of damage can be inflicted by these attacks on power grids?
DS: A lot. The damage can be [merely] annoying, like maybe a website is defaced and it’s a high-tech vandalism. But it can [also] be mission-critical and disrupt the energy company’s ability to serve their companies and produce energy. That’s bad for the business, because if they’re not producing energy, they’re not generating revenue. And that’s also bad for the customers that the producer serves.
I’m in Houston, so I know from firsthand information what happens when a large power grid becomes unstable, as happened in Texas during that big freeze. So it doesn’t just affect the business. It affects the people who depend on having their modern society powered. So this has happened before and it’s going to continue to happen, not just because of opportunistic reasons, but also because if you want to disrupt lives, messing with public utilities is a very effective way to do that.
Scroll through our gallery above for more of Small’s comments and the week’s other cybersecurity news.
Read more about:
MSPsAbout the Author(s)
You May Also Like