Editor’s Note: Power Engineering recently did a Q&A with Bill Moore, CEO and founder of XONA. The company is a user access platform tailored for remote operational technology sites.
Moore has an extensive, 20-year career in cybersecurity and high-tech sector issues. In light of the recent attack on the Colonial Pipeline and other infrastructure, PE thought it was timely to get some insights on the cyber and ransomware dangers facing the power utility industry.
— — — — —
Power Engineering: Companies and mission-critical facilities like hospitals have been hit with ransomware attacks for years. Yet, with the shutdown of the Colonial Pipeline, we are reminded of the threat to electric power generation and service. Are utilities adequately prepared? And if not, what can they do better to defend themselves?
Moore: “I don’t want to speak for all utilities since the industry isn’t a monolith. However, we’ve seen enough cybersecurity incidents in the past several months to know that the sector should be on notice. Even before the pandemic, cybersecurity threats were becoming more common and sophisticated. Today, many utilities embrace hybrid work arrangements that expand their threat surface, requiring enhanced security measures when connecting to critical infrastructure systems.
“To improve their defensive posture, utilities need a two-tiered approach: First, they need to address their digital hygiene. The Colonial Pipeline attack was executed using a single compromised account password, which is a reminder that everyone has a role to play in keeping critical infrastructure. At the same time, utilities need to employ a zero-trust framework, including two-factor authentication, protocol isolation, user-to-asset connection segmentation as well as user access monitoring, logging and recording.”
Last year, then President Trump issued an Executive Order for the bulk power system supply chain. Has the Biden Administration followed up on ensuring that the supply chain is free of potential cyber challenges from foreign manufacturers?
Moore: “In April, President Biden launched a 100-day plan that harnesses the cybersecurity efforts of the U.S. Department of Energy (DOE), the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). Meanwhile, the President’s recent summit with Russian President Vladimir Putin was covered extensively for its focus on cybersecurity and critical infrastructure.
“However, initiatives and bilateral meetings can only go so far. With so many threat actors, including nation-states, terrorist organizations, and freelance hackers, targeting utilities, it would be foolish to rely exclusively on executive action to fortify their critical infrastructure.”
What is the key threat to power plants or electric utilities: a complete shutdown of generation or disconnection on the grid?
Moore: “These options are not dichotomous, and they both come with enormous consequences for utilities and their customers. It’s clear that threat actors are targeting everything from industrial controls to power generation. Utilities can’t limit their defensive efforts. They must account for all potential vulnerabilities.”
Are utilities getting the staffing expertise they need to work against these threats? Where do we find the right people?
Moore: “Like many sectors, utilities are struggling to attract and retain top cybersecurity talent. There are more than 500,000 unfilled cybersecurity jobs in the U.S. alone, making it extremely difficult for utilities to adequately respond to existing and emerging threat trends. In response, utilities need to find talent wherever it’s available, training and upskilling existing employees while investing in next-generation solutions.
“Of course, these answers take time to mature and develop, and utilities can’t wait for tomorrow’s talent to meet today’s challenges. Managed Service Providers (MSPs) and cybersecurity consultants bridge that gap, providing readily available expertise to enhance utilities’ defensive posture today.”
Do utilities provide enough training for staff to handle or identify cyber probes?
Moore: “Utilities can significantly mitigate cyber risks with comprehensive employee training initiatives, but few are taking these efforts seriously enough. For many employees, cybersecurity concerns are unseen risks until they are frighteningly manifest. Comprehensive awareness and response training can change this equation entirely.
“Across the board, our digital hygiene is in bad shape. Most people reuse their account credentials with multiple services, and they rarely update these credentials, even after a breach notification. At the same time, many decline to enable simple security features, like two-factor authentication, which could significantly reduce the risk of a threat actor gaining account access. Perhaps most importantly, employees must be able to identify phishing scams, which significantly increased in scope and effectiveness since the pandemic’s onset.”
Another question about the workforce: For those outside the IT realm, what’s the best way to make them understand the threat from bad actors and to be vigilant not to be used by the attackers?
Moore: “85 percent of data breaches involve a human element. It’s clear that guarding against a cyberattack is an all-in effort, requiring employees at every level to actively embrace best practices to secure data and IT infrastructure. Employees need to understand the consequences of a data breach, but they also need to know that they can take steps to keep everyone safe. Achieving buy-in needs to be a company culture priority, and it starts at the top.”
Should the electric industry do more “war planning” or tabletop exercises to figure out how best to respond to such attacks? What kind of preparation is most important to be proactive?
Moore: “Undoubtedly, utilities need to formulate response plans. If a cyberattack occurs, chaos often ensues, and leaders will have limited capacity to respond to fast-moving events. However, “war planning” shouldn’t supersede defensive maneuvering. Before rehearsing worst-case scenarios, utilities should spend their efforts on fortifying their defensive posture, ensuring that they are adapting to the latest threat trends and covering their increasingly expansive threat vectors.”
What is the likelihood, percentage wise, of a major portion of the grid getting shut down by ransomware in the next two years?
Moore: “I don’t know how to quantify the likelihood that a ransomware attack will disrupt the power grid in the next two years. However, the evolution of automation into controls and sensor systems with both OT and IT interdependencies have made securing enterprises much more complex. Cybersecurity professionals surely have their work cut out for them as threat actors now have more vectors to launch attacks. The Colonial Pipeline attack underscored the vulnerabilities of today’s interconnected utilities. With a new ransomware attack occurring every eight minutes, it is alarmingly likely that we haven’t seen the last successful attack, which should increase the impetus for every utility to take action today.”