The Gately Report: Impero Software Says U.S. Power Grid Attacks Likely in Months Ahead
Oakland, California, has declared a state of emergency in response to a ransomware attack.
![Power grid Power grid](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt31e729ddccdf6722/6524062b1f7d701d1cd2323d/Power-grid.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: What sort of damage has resulted from past attacks and could result in future attacks?
Paul Hafen: We’re not talking about merely crippling a military or a base. We’re talking about harming civilians. And that kind of stuff is really what plays on our fears. Who has a vested interest in coming after us? It could be Russia or one of their groups. So the fear is that they could use social engineering, impersonate somebody … and send a file to somebody. And that person in that IT department within the energy sector, as an example, could then unwittingly unleash malware that would sit there maybe dormant until somebody who’s got remote control of that software decides to change the way the power grid looks.
The thing I get asked sometimes is why wouldn’t they already attack us. And there’s a reason they call these attackers APTs. They have patience and they know the more time they have their hooks into a network or into devices, the more they learn about the environment and the more damage they can cause when the time comes. Probably someone’s eyes are already on the surface area. There’s people already in there.
CF: Are there reasons behind the acceleration in attacks?
PH: So we talk a lot about methods, IOCs and TTPs. As for motives, It sounds like there are motivations for countries abroad that maybe feel that they’re in a state of decline. They are isolated by NATO and that kind of stuff. They see things maybe as existential where they’re worried about the continuity of their current form of government and what their country looks like. And so they’re being desperate. It’s hard to go toe-to-toe militarily with a country like the United States, so how else do you attack? So you’ve got all kinds of ways to do it, misinformation, trolls on social media and then you’ve got electronic means to get into the power grid and affect it, something close to what a bomb would do, and shutting down power. They can’t do it militarily, so they’re looking for other means to do it.
CF: Why target the U.S. power grid?
PH: They’ve got an ideological reason. They’ve got an existential reason. They don’t like what end of the argument they’re on with the United States. And they only leverage it since they don’t have trillions of dollars of military capabilities. You can get a couple of smart people to form an APT and do it. The reason they go the cyber route is because it’s the least cost. And you can kind of be anonymous.
CF: What makes the power grid so vulnerable to attacks? Are there weaknesses or vulnerabilities in the system?
PH: There’s always vulnerabilities. The people who make the software find vulnerabilities. There’s a big surface area, too. There’s four grids in the United States. There’s the East Coast, the Midwest, Texas and the West Coast. And then you’ve got that architecture where you’ve got energy production, the downgrading of the power and then the distribution. And you’ve got industrial control systems all through that whole supply chain. The reason I can say there’s vulnerabilities is because there’s a precedent for it. So whether in the United States or overseas, we see there are vulnerabilities. And we know publicly that the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE) and the Government Accountability Office (GAO) are aware of it, and they’ve published where they are. And they’re not fully patched. They don’t comply to the best standards known for cybersecurity.
CF: What can local leaders do to improve their cyber defenses with the power grid?
PH: So when you talk about cybersecurity and the National Institute of Standards and Technology (NIST) cybersecurity framework, a lot of it has to do with technologies you can buy to secure whatever you’re trying to secure. What is often overlooked and what local leaders can do … is training humans to look for and be vigilant against those kinds of attacks. There’s also policy that can go a long way. Policy can mean how humans act to avoid threats. Policy also means that you can change policies in these technologies without purchasing cybersecurity tools. Just lock down your systems.
If you’re giving computers out to your people, only give them the access privileges that they need to do their job and don’t give them more than that. You don’t want to give everybody keys to the kingdom so that they could inadvertently even cause an outage or a problem. The government is investing a lot of money that’s finding its way down to the local public sector. School districts, for example, are getting money here in the next year. There was a few billion dollars that were released to beef up cybersecurity. And that happened in light of the Los Angeles Unified School District attack that happened a couple of months ago, which was really costly for them. There’s definitely gaps in security and the highest levels of government are sending money to the lower levels of government to make sure that we can avoid those kind of disruptions.
CF: Can the cybersecurity channel help local leaders and others with better securing the power grid?
PH: Absolutely. A vendor is very invested in what they do, and the channel works with different technologies. So a channel VAR in cybersecurity may sell endpoint detection and response (EDR), and also may sell security event monitors and training. So I think the channel has a great opportunity to be well-rounded and really well-versed in cybersecurity, whereas vendors laser-focus on a particular security thing they’re trying to fix. So the channel has the opportunity to be consultative with their clients on what are the best practices and policies, and technologies, and recommend the technologies that are best for a given scenario. The channel has a lot of expertise and that should be leveraged by end users, the people who buy to consume what we make. They should be using the channel to give them advice because they can see outcomes across their customer base.
CF: From the standpoints of both prevention and response, have we seen any improvement in safeguarding the power grid?
PH: There’s been action taken. The GAO reports on where they’re at. For awareness and training for employees within the grid, they’re about 50% there. For data security, they’re about 50% there. It looks like they’ve got information protection processes and procedures about 75%. In terms of protective technologies, they’re 50%. So they’re doing something, we can see there’s progress there.
I think when you hear those percentages against full compliance with the framework, you look at where they’re not compliant yet and that makes you afraid. So is there progress? Are they doing identification, yes, but for supply chain risk, they’re 50% in terms of just identifying the risk there. So think of all the business that is being done by people who run the energy grid with vendors that supply technologies and anything else. How secure are those applications or products?
CF: If there is an outage, does restoration differ between outages that are caused by natural disaster, etc., versus a cyberattack?
PH: The answer would depend on how localized that attack was and how quickly an incident response team could identify where the actual attack happened, what device, server or person was compromised, and can they remove that and then get it back up and going. The answer to that question is totally dependent on the scope of that attack. And it depends on the malware used as well. I would think that given the critical nature of the grid, all hands would be brought to bear in an incident response kind of engagement to get it up and going. And hopefully large infrastructure wouldn’t have to be replaced like in a physical natural disaster.
CF: Have any ransoms been paid related to power grid attacks?
PH: I don’t know of any ransoms in particular to the grid. I know about ransoms in other sectors. And I have talked to clients that have ended up paying against the wishes of the FBI that gets involved because they don’t want to create a market for ransomware. But some of these critical infrastructures, the people who run them are like we have to be back online, so we decided to pay it. In the instances that I’m familiar, with, the bad guys made good on their promise to restore their environments. But there’s no guarantee that will happen.
In other cybersecurity news this week …
The City of Oakland has declared a state of emergency one week after a ransomware attack hampered local government operations, according to a Recorded Future report.
Interim City Administrator G. Harold Duffy issued the declaration due to the ongoing impacts of the network outages resulting from the ransomware attack that began Feb. 8.
“As previously communicated, the network outage has impacted many non-emergency systems including our ability to collect payments, process reports, and issue permits and licenses,” Duffy said. “As a result, some of our buildings are closed. We encourage the public to email the service counters they want to visit before coming to city buildings.”
The city is also requesting state and federal funds to cover the recovery costs associated with the attack. The city attempted to implement workarounds to business processes, and the IT department is working with cybersecurity firms to remediate the incident. The city noted that multiple state and federal agencies are now involved in the response.
Tony Goulding is cybersecurity evangelist at Delinea. He said ransomware attacks such as this are an unfortunate reality today and for the foreseeable future.
“Cybersecurity leaders must continue to emphasize the critical importance of preparedness,” he said. “Nothing will guarantee 100% resilience to cyberattacks, but being prepared with regards to process, people and technology goes a long way.
Cybersecurity leaders need to ensure they have a solid incident response plan that’s kept up to date and practiced, including ransomware preparedness to factor ransomware’s most commonly used tactics and techniques, Goulding said. Also, they should ensure their incident response plan has owners, that they intimately know their responsibilities, and that there’s out-of-band communications in the event traditional communications are compromised.
In addition, they need to ensure they have modern security controls to help prevent, detect and contain anomalous activity.
“Solidifying these elements can make any organization more resilient so they can detect and respond to an incident more quickly and have a better chance of getting fully operational again in the shortest time,” Goulding said.
Darren Guccione is CEO and co-founder of Keeper Security. He said this egregious cyberattack is the latest example of the pervasive threat that predatory cybercriminals pose to everyone, from multinational businesses to local law enforcement.
“No one is safe from cybercrime and often the most vulnerable among us are the most likely to be targeted,” he said. “This threat actor is affecting Oakland PD’s operations and response times, which directly impacts the safety and well-being of Oakland residents.”
Now the city faces the impossible decision of whether to pay the threat actor to release their data, or risk losing access to the files and systems it relies on to protect its residents, Guccione said.
“Yet, cybercriminals are exactly what their name implies,” he said. “They are criminals, and as such, they cannot be trusted. Paying a ransom provides no guarantee a bad actor will decrypt a victim’s files or reinstate access to their systems. Furthermore, there are ample examples of cybercriminals publishing stolen files to the dark web, even after receiving a payment. The Oakland PD will have a long and expensive road to recover from this ransomware attack, and ensure that another cyberattack of this nature does not happen again. This incident serves as yet another reminder of why everyone must make cybersecurity a priority.”
A new report by Cytrio, a data privacy compliance company, shows more than 90% of companies aren’t in compliance with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR).
As of Dec. 31, 92% of companies across all verticals, states and business sizes are still unprepared for CCPA and CPRA, and 91% are unprepared for GDPR, using time-consuming and error-prone manual processes. CPRA and employees’ rights to exercise data privacy went into effect on Jan. 1. It requires companies to deploy a CCPA/CPRA and GDPR compliance management solution to avoid fines and penalties.
GDPR continues to be actively enforced with fines totaling in excess of $2.5 billion, and the total number of fines under GDPR reached 1,462 as of the end of the fourth quarter.
Other findings include:
More than 50% of companies said they need to comply with CCPA, but do not provide a mechanism for consumers to exercise their data privacy rights.
Further, 38.6% of companies are using expensive and error-prone manual processes.
Four percent of companies that were using manual processes in the first quarter of 2022 moved to compliance automation solutions, while 11% of non-compliant companies moved to a manual process to comply with CCPA by the fourth quarter of 2022, indicating companies are slowly moving up the CCPA/GDPR compliance maturity curve.
This year, data privacy regulations go into effect in Virginia, Colorado, Utah and Connecticut, while several other states are expected to approve data privacy regulations.
Vijay Basani is Cytrio‘s founder and CEO.
“The requirements that companies are facing today related to data privacy regulations are steadily increasing,” he said. “As the CPPA turns its attention to CPRA enforcement, we will see a significant increase in enforcement actions. Additionally, as was the case with GDPR, media coverage of increasingly higher numbers of enforcement actions will educate consumers regarding their data privacy rights, resulting in consumer requests under CPRA. Companies need to act now to implement solutions to comply with CCPA, GDPR and other data privacy regulations.”
Community Health Systems (CHS), one of the nation’s largest health care companies, has reported a cyberattack in which the attacker stole 1 million patients’ data.
Based in Tennessee, CHS has nearly 80 hospitals in 16 states. It reported the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC).
Fortra, a CHS third-party vendor, notified the health care company that it had experienced a security incident that resulted in the unauthorized disclosure of company data.
“Fortra is a cybersecurity firm that contracts with company affiliates to provide a secure file transfer software called GoAnywhere,” CHS said. “As a result of the security breach experienced by Fortra, protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA) and personal information (PI) of certain patients of the company’s affiliates were exposed by Fortra’s attacker.”
Upon receiving notification of the security breach, CHS launched an investigation, including to determine whether any company information systems were affected, whether there was any impact to ongoing operations, and to what extent PHI or PI had been unlawfully accessed by the attacker.
“While that investigation is still ongoing, (CHS) believes that the Fortra breach has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care,” CHS said. “With regard to the PHI and PI compromised by the Fortra breach, the company currently estimates that approximately 1 million individuals may have been affected by this attack.”
CHS said it will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. It also will be offering identity theft protection services to individuals affected by this attack.
CHS carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, it may have incurred, and may incur in the future, expenses and losses related to this attack that are not covered by insurance.
“While the company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the company does not currently believe this incident will have a material adverse effect on its business, operations or financial results,” it said.
Almog Apirion is CEO and co-founder of Cyolo, a zero trust access provider.
“Health care organizations are unfortunately no stranger to cyberattacks and data breaches,” he said. “Institutions like CHS are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work. The reality is that when hackers exploit vulnerabilities in third-party security tools, the lives and privacy of patients are put at risk. Interoperability is vital for successful health care delivery, so a managed file transfer (MFT) is a needed solution. But when the admin console is accessible via the internet, it’s only a matter of time before data is breached. Any connection to a sensitive data source must be properly managed and secured.
Zero trust access strategies should be employed to support the needed connections, especially between care delivery partners, Apirion said.
Community Health Systems (CHS), one of the nation’s largest health care companies, has reported a cyberattack in which the attacker stole 1 million patients’ data.
Based in Tennessee, CHS has nearly 80 hospitals in 16 states. It reported the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC).
Fortra, a CHS third-party vendor, notified the health care company that it had experienced a security incident that resulted in the unauthorized disclosure of company data.
“Fortra is a cybersecurity firm that contracts with company affiliates to provide a secure file transfer software called GoAnywhere,” CHS said. “As a result of the security breach experienced by Fortra, protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA) and personal information (PI) of certain patients of the company’s affiliates were exposed by Fortra’s attacker.”
Upon receiving notification of the security breach, CHS launched an investigation, including to determine whether any company information systems were affected, whether there was any impact to ongoing operations, and to what extent PHI or PI had been unlawfully accessed by the attacker.
“While that investigation is still ongoing, (CHS) believes that the Fortra breach has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care,” CHS said. “With regard to the PHI and PI compromised by the Fortra breach, the company currently estimates that approximately 1 million individuals may have been affected by this attack.”
CHS said it will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. It also will be offering identity theft protection services to individuals affected by this attack.
CHS carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, it may have incurred, and may incur in the future, expenses and losses related to this attack that are not covered by insurance.
“While the company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the company does not currently believe this incident will have a material adverse effect on its business, operations or financial results,” it said.
Almog Apirion is CEO and co-founder of Cyolo, a zero trust access provider.
“Health care organizations are unfortunately no stranger to cyberattacks and data breaches,” he said. “Institutions like CHS are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work. The reality is that when hackers exploit vulnerabilities in third-party security tools, the lives and privacy of patients are put at risk. Interoperability is vital for successful health care delivery, so a managed file transfer (MFT) is a needed solution. But when the admin console is accessible via the internet, it’s only a matter of time before data is breached. Any connection to a sensitive data source must be properly managed and secured.
Zero trust access strategies should be employed to support the needed connections, especially between care delivery partners, Apirion said.
U.S. power grid attacks, including cyberattacks, are likely to increase this year as malicious actors are realizing just how vulnerable and exploitable it truly is.
Impero Software’s Paul Hafen
That’s according to Paul Hafen, cybersecurity expert at Impero Software Solutions. It provides cybersecurity to the public sector, including school districts, as well as secure remote connect from device to device.
According to Politico, citing a top cybersecurity executive, hackers tied to Russia last year got close to knocking out a major portion of the U.S. power grid. And the malware they used is still out there.
The attack occurred early in Russia’s invasion of Ukraine. Hackers deployed malicious software to try to take down “around a dozen” U.S. electric and liquid natural gas sites.
U.S. Power Grid Vulnerable to Both Cyber, Physical Attacks
The power grid is vulnerable to both cyber and physical attacks, which are on the rise. Earlier this month, the U.S. Justice Department charged a neo-Nazi leader and his associate with plotting to attack Baltimore’s power grid, according to Reuters. The FBI prevented the attack with the help of a confidential informant.
“What’s been of interest to me over the years is what more organized groups are able to do,” Hafen said. “We’ve heard a lot about Ukraine lately and there was an attack years ago on the grid that took them down. And that was attributed to Russia. These people are what we call advanced persistent threats (APTs).”
These APTs are slow, low and incognito, he said. They use tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs), which are basically malware.
“I don’t know if I’m expecting more this year, but my antenna are up, it’s top of mind with everybody,” Hafen said. “There’s been a lot of news about it. There’s precedent for it. We’ve seen it in Ukraine. A lot of people who have geopolitical focus are saying Ukraine is a test bed for an attack on the United States. For foreign actors, that’s the little leagues and they’re looking to come to the big leagues. And In more smaller, regional ways, there’s been attacks. So when there’s a precedent, that makes the possibility of another one or a bigger one all the more likely in the minds of people.”
In addition, the federal government has announced its efforts to ramp up grid security and what it still needs to do to safeguard it, he said.
“So all of that information, together with the precedent, makes a lot of us concerned that we are not without risk,” Hafen said.
Scroll through our slideshow for more from Hafen about potential cyber threats on the U.S. power grid, and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like