Cybersecurity for Utilities: Municipal Utilities Have Become a Major Target

It's no secret cyberattacks are becoming more advanced and more frequent, affecting a variety of high-profile targets. Financial institutions, healthcare facilities, universities, and government agencies are feeling the effects. Still, most people are surprised to hear municipal utility companies have become a major target for nation-state actors. The idea seems ridiculous at first, but threat actors can anticipate the effects of such an attack and why these agencies are such a suitable target. That’s why it’s crucial to have cybersecurity for utilities. 

When you consider how dependent we are on the electrical grid, it's not impossible to consider the disastrous effects of a major long-term attack. Utility companies provide essential services like electricity, heat, water, and gas. Any attack that damages the critical infrastructure or disrupts these services needs remediation immediately. Unfortunately, even as these attacks multiply across the country, many people in the industry remain unconvinced of the potential for an attack on virtually any facility. 

We've established that as technology evolves, cyberattackers take advantage of opportunities to exploit vulnerabilities. However, the worldwide attacks on municipal utilities in the past year have virtually doubled. Additionally, the attackers have exponentially increased the bandwidth and speed of the attacks, making them much more effective. Unfortunately, utility companies are largely unprepared for these attacks. Proper security becomes even more difficult as attacks change in nature to do more than access sensitive data. Recent cyberattacks on utility companies focus on attacking operational systems and disrupting essential services. 

Why Municipal Utilities are a Target for Cyberattacks 

Municipal utilities provide vital services and represent critical infrastructure. This means they provide cyberattackers with a variety of ways to extort money or cause confusion and destruction. Nation-state actors who have previously targeted government agencies are facing tougher cybersecurity systems and could be changing direction to municipal utilities in an attempt to exploit an unprepared target. The following reasons explain why cyberattackers aim for such a seemingly small target. 

Easy Access 

As primary targets like banks, large companies, government agencies, and the military are tightening security to avoid the risks of mass cyberattacks, hackers are seeking easier prey. Municipal utility companies are generally under strict budgets and largely unaware of the likelihood of an attack. With minimal security tools in place and a growing number of access points, threat actors likely view these companies as an easy target with a lot to lose. 

Cybersecurity Logging and Monitoring

Employees within utility companies often have little or no training about cybersecurity practices and ways to prevent an attack. This means routine cyber hygiene practices like creating strong passwords, using email encryption, and creating comprehensive cybersecurity for utilities. 

A Wealth of Opportunity 

Municipal utility companies provide critical services to thousands of people in any area. These companies are also responsible for handling large amounts of sensitive data. Unfortunately, this combination provides cyberattackers with the opportunity to launch attacks on both IT and OT (operational technology) systems. Attacks on municipal utilities can cause: 

  • Large-scale power outages 
  • Contaminated water systems 
  • Wide information breaches that affect thousands of customers and employees
  • Damage to critical infrastructure and essential networks that could take months to repair 
  • Billions of dollars lost each year to ransom demands and critical repairs 

IoT Growth 

As utility companies adopt modern technology to streamline processes, vulnerabilities are exposed. The internet of things (IoT) (sometimes called the industrial internet of things: IIoT in the utility sector) assists companies in the collection of data, providing insights, and improving efficiency and safety. Unfortunately, it also provides a large attack surface for threat actors to exploit. A large attack surface combined with limited resources to protect a multitude of endpoints put municipal utility companies in a vulnerable position. Additionally, since this operational technology is still evolving, many of the dangers haven't been addressed yet. 

Limited Awareness of the Threat 

Municipalities are often on strict budgets overseen by elected officials, shareholders, or managers who rarely participate in the daily tasks required of the company. While these officials are in charge of allocating funds for necessary protection like enhanced cybersecurity for utilities, they remain largely in the dark about the potential for an attack. From department managers and elected officials to average end-users, the majority of individuals in the utility sector are unaware of the need for cybersecurity.

COVID-19 Impact 

Cyberattackers were poised to take advantage of a major global event and the pandemic provided an unfortunate opening. Utilities were no exception to the trend of vulnerabilities that were exploited when the majority of employees were forced to work remotely. As the pandemic stretched into the summer, the number of cyberattacks on utility companies exploded from 101 in July 2019 to 874 in July 2020. Attacks come from a variety of sources, but the biggest concern is the potential for nation-state attacks. 

Types of Cyberattacks Launched on Municipal Utilities 

Cyberattacks launched on municipal utility companies are similar to attacks in any other industry. However, the potential for OT attacks and the dangers of a major service disruption up the stakes. Here's how the most common cybersecurity attacks affect municipal utility companies. 

Denial of Service 

Attacks that stop users from accessing essential networks are referred to as denial of service (DoS) or distributed denial of service (DDoS) attacks. A DoS attack is launched by a single attacking computer, while a DDoS attack is launched by multiple attacking devices. Denial of service attacks are exactly what they sound like. While the attack is in progress, companies can't access the means to provide services. These attacks have serious implications for any company, but the interruption of essential services like electricity or running water can quickly become catastrophic. 

Malware 

Advanced malware typically provides attackers with a way to breach utility networks and glean information for more advanced attacks. Malware attacks come in several forms and are introduced to networks in a variety of ways. The most common malware types exploit endpoint vulnerabilities. 

  • Backdoor Malware: Hackers insert undetected malware into a network for reasons such as data theft, network control, and the ability to spread additional malware to disrupt critical services. 
  • Trojans: Advanced malware disguised as routine network activity can be used to move laterally within the network and steal high-level credentials that allow attackers to access sensitive data or gain control over the system. 
  • Wipers: Malware designed to erase data or functions from a computer was initially used by hackers to conceal an active attack or destroy evidence after a successful attack. There is growing concern that an advanced wiper attack could disable critical systems and cause a physical shutdown of an entire facility. 

Ransomware 

Utility companies handle and store a wealth of sensitive data. They're also responsible for distributing essential services and maintain critical infrastructure. When attackers access utility networks, they can hold vital information or the ability to provide services hostage until the company pays a large ransom. Services may be restored after a ransom is paid, but there is no real guarantee. 

Phishing 

This well-known tactic is used within utility companies in the same way as attackers target employees in large corporations. Attackers email unsuspecting employees of every level in an attempt to gain access to sensitive information or breach the network. Phishing can be especially effective within the utility sector because employees rarely have the security training to recognize the threat. 

SOCaaS Guide

Data Theft 

Utility companies are responsible for the handling and storage of sensitive customer and employee data. In the past, securing this data was as simple as managing a secure perimeter to protect information kept within a facility or on-site devices. As the IoT expands, attackers can find vulnerabilities within home devices, operational technology, and even online customer service connections. 

Utility Grid is an Attractive Target for State Actors 

All cyberattacks on municipal utilities are a plausible threat. However, the potential for major attacks by nation-state actors is perhaps the biggest concern. There's no shortage of evidence that state actors have the ability to disrupt a country's power supply. In 2015, a Russian group launched cyberattacks against the Ukrainian power system, causing temporary blackouts that affected 200,000 people. 

There is little doubt that other countries are capable of such attacks. While evidence surrounding some attacks proved ultimately inconclusive, attacks targeting U.S. utilities are suspected to be the work of state actors. LookBack malware that targeted utility companies in 18 states across the country in 2019, was suspected to have originated in Hong Kong. In March 2018, the DHS and FBI put out an alert warning about a campaign by Russian government hackers that targeted small commercial facilities and networks and gained remote access into energy sectors.

Ultimately, the goals of state actors attacking municipal utilities are to breach the system and gain control. Whether the intention is power disruption, extortion, or political gain, threat actors are likely to discreetly gain entry into networks before an attack occurs. The motivation and capability for such attacks exist. Yet, most organizations remain under the assumption they aren't a target. One possible concern is that the planning phase simply isn't complete, in which case, state actors could be quietly accessing a variety of networks to plan an efficient attack. 

The Dangers of a Coordinated, Serious Cyberattack on Municipal Utilities 

While the economic impact and harm caused by ransomware and denial of service attacks can't be downplayed, the danger of a targeted attack from Nation-State Actors would be disastrous. The idea that smaller facilities aren't a target provides many companies with a false sense of security, leaving them largely unguarded. These attacks could have severe consequences on their own, and potentially give attackers access to larger connected systems. 

While an example of such an attack doesn't currently exist, we can gather information provided by infrastructure shutdowns caused by natural disasters. For instance, the 2019 blackouts in Northern California were a result of deliberate shutdowns due to the projected damage wildfires could cause. The blackouts put 1.5 million people out of power (including 248 hospitals) and forced evacuations. Similarly, a windstorm in Wyoming in 2017 that knocked down power lines, caused power outages that lasted a week. While backup generators assisted operations in some areas, sewage treatment plants without generators backed up. As a result, the water had to be shut off and the town evacuated. Recent weather-related shutdowns in Texas provided a starker demonstration of the human-related effects of massive outages. People lost communication, struggled to access uncontaminated drinking water, and froze in their homes. 

These examples show how quickly the effects of a power outage can have devastating effects. However, none of the shutdowns were deliberate. Nation-state threat actors with the desire to destroy critical infrastructure could create long-lasting effects that affect hundreds of thousands of people in a single area. If coordinated attacks occurred in multiple areas, the devastation would be far worse. Repairing or replacing damaged and destroyed utility systems could take weeks or even months. 

For most people, loss of power for a few hours is a nuisance. After a few days, it will likely cause moderate economic disruptions. Any longer and human health quickly becomes a factor. Power outages during the winter will have a bigger impact as millions will be without heat. However, these facts fail to consider electricity dependents. Those with health conditions that require electricity-dependent devices are in immediate

danger when the power goes out. A 2012 study conducted by the National Institute of Health states that over 685,000 people nationwide depend on electricity to survive. 

Failing to understand the gravity of the potential effects of a power grid attack leaves municipal utility companies unprepared to enact the necessary cybersecurity measures necessary to prevent looming attacks. Proper cybersecurity for utilities is essential to maintaining our way of life. 

Zeeland Testimonial FINAL

Cyberattacks Hidden, Downplayed, or Never Disclosed 

In the age of information, learning the details of frequent cyberattacks across and even worldwide shouldn't present a large challenge. After all, every state and local government agency could benefit from the information that would lead to the early prevention of cyberattacks. Unfortunately, the information is often hidden or simply never disclosed. Just like any business hoping to protect a reputation, municipalities often avoid reporting attacks to maintain credibility. 

While this behavior might be a solution for one company in a localized area, it's a dangerous misrepresentation of the real dangers that exist. Many businesses indeed behave in the same manner, potentially failing to share information that could help protect other organizations from attack. However, the problem has a wider reach in the utility sector. Failure to report attacks provides a false sense of security for the Department of Energy and governing bodies that could introduce new regulations for such attacks. It also leaves other facilities under-prepared for similar attacks. The bigger picture for municipal utility companies comes down to money that could be spent on cybersecurity solutions. Cyberattacks are downplayed or swept under the rug to avoid lost confidence from shareholders. Yet, when the reality of the danger is downplayed, money in the budget isn't allocated to cybersecurity for utilities and necessary training. 

Cybersecurity Solutions to Protect Municipal Utilities 

Learning the potential risks of a power grid attack could provide a necessary wake-up call for those who think cybersecurity is an unnecessary burden. In late April 2021, the Biden administration announced a 100-day plan described as a coordinated effort between the DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Administration (CISA) to enhance the protection of the electric grid from cyberattacks. Still, every company will need to take active steps to create customized solutions that eliminate major threats. These measures can help strengthen cybersecurity for municipal utility companies. 

Increase Awareness

All municipal utility companies present a host of potential vulnerabilities, and everyone using the network needs to be aware of the risks. It's common knowledge that human error is an important factor in successful cyberattacks. Yet, in utility companies with end-users at practically every level, the threat is largely unknown. Educating employees at every level and elected officials of the potential risks associated with an attack is one way to promote better cyber hygiene. 

Perform a Company Assessment 

To create a comprehensive cybersecurity for utilities solution, it's essential to understand where your security gaps lie. Often called a gap assessment, a professional assessment will determine where vulnerabilities exist and guide a customized plan to eliminate security gaps. For utility companies, the assessment will need to cover both IT and OT devices and equipment. 

A recent cybersecurity report stated that 30% of attacks on OT are not detected. The majority of companies find OT security to be more of a challenge, and inexperience is one of the biggest reasons for the gap. Attacks on OT equipment and devices are sophisticated and many companies have no experience identifying these threats. A comprehensive cybersecurity plan for municipal utilities will require methods that simultaneously target both IT and OT threats. 

Provide Thorough Training 

All employees are targets for phishing emails or other cyberattack attempts. Phishing attacks are still the number one way for attackers to gain access into a targeted network. These attacks work because they're sophisticated fakes that convincingly imitate communication from within the company. Providing employees with the knowledge to recognize these threats and other red flags can eliminate vulnerabilities caused by human errors. 

Achieve NERC CIP Compliance 

The North American Reliability Corporation's critical infrastructure plan (NERC CIP) is a set of regulations designed to protect, secure, and maintain the American electrical grid. The plan consists of nine standards and 45 requirements that cover a variety of areas in the infrastructure system. The standards also include regulations for training personnel, incident reporting, and recovery plans. 

2020 brought about updates to NERC CIP that addressed security management controls, electronic security perimeters, and vulnerability assessments. Implementing the updates can help utility companies address concerns related to current attacks. It's

expected that additional updates will be introduced in 2022. Maintaining the regulations outlined by NERC CIP can help utility companies design a robust cybersecurity system. 

Seek Professional Assistance 

Many companies are aware of the need for more robust cybersecurity systems but have no idea how to put these measures in place. Utility companies across the country face an immense financial and task burden working to achieve and maintain NERC CIP compliance. Municipal utility companies on a strict budget don't have the funds to hire an in-house cybersecurity team, and many employees don't have the training to recognize the signs of an attack. 

Security operations center as a service (SOCaaS) provides utility companies with a third-party security operations center that provides 24/7 monitoring, support, and a cybersecurity strategy customized to your company. Cybersecurity for energy providers and utilities from BitLyft includes the installation of advanced cybersecurity software, weekly check-ins, and instant threat remediation. BitLyft provides a full range of cybersecurity solutions to address new viruses, malware, Trojans, and zero-day attacks. 

Additional support is essential for energy providers to ensure all potential vulnerabilities are addressed. BitLyft provides this support with security solutions that match industry-specific requirements and helps address OT system vulnerabilities. Our team identifies supervisory control and data acquisition (SCADA) are likely targets of an attack. Then we provide visibility of these assets and establish a continuous monitoring program to identify unusual behavior, defend against cyberattacks, and protect critical infrastructure. Additional services provide municipal utility companies with easier NERC CIP compliance. 

Cyberattacks on utility companies are becoming some of the most common threats affecting the nation today. Attacks to electrical and water grids prove the danger is real and can no longer be ignored. Cybersecurity for utilities is an essential part of protecting the critical infrastructure we all depend on for everyday activities. Municipal utilities will need to take cybersecurity seriously before a catastrophic attack is launched on the U.S. water and power grid. 

If your company is unprepared to face the potential threats that state actors could inflict during an attack, schedule some time to talk to our team of experts about a customized security plan that addresses your vulnerabilities. 

More Reading

feature image read more
Manufacturing Companies Are Learning Cybersecurity the Hard Way
Cybersecurity is making headlines in many industries regularly. Last year's high-profile SolarWinds attack and the recent Colonial...
feature image read more
DAG Monaco Press Conference on Darkside Attack on Colonial Pipeline
On Monday, June 7th, 2021 United States Deputy Attorney General Lisa Monaco delivered the following press conference in regards to the...
feature image read more
How to Protect Your Industrial Control Systems From Attack
The modern production line is extremely sophisticated and can do many things unimaginable only a few years ago. However, as with so many...