For Cybersecurity Awareness Month, NRECA’s Along The Lines podcast examined the topic of ransomware attacks and their threat to electric utilities in a 25-minute podcast. Host Scot Hoffman was joined by Ryan Newlon, NRECA’s principal for cybersecurity solutions, and Dave Eisenreich, a special agent with the FBI’s Cyber Division and that group’s liaison to the energy sector.
While we recommend listening to the podcast, we know it’s the type of thing that folks often say they’ll get to later…and then never do. So we put together a post with key takeaways in case you don’t get around to listening.
Ransomware became a household term in 2021 when the Colonial Pipeline was shut down for several days after hackers attacked the company’s billing system. This type of intrusion is on the rise in the U.S. and around the world, with utilities serving as prime targets.
As Dave, the FBI special agent, puts it:
“Our data showed a 200% increase in attacks. And that’s just the tip of the iceberg. Attackers know utilities can’t afford to be down for long. That makes them an attractive target for ransomware. Adversaries think they’re likely to pay up.”
Utility leaders across functions need to be aware of the potential for ransomware attacks and strategies for protection. That’s where Scot focused the conversation.
Ransomware is defined as digital malware that encrypts a victim’s system. The malware often comes through a link in a business email and then encrypts critical system data and holds that data for ransom. Victims know their data is being held for ransom, because something pops up on the screen and says "If you want access to your data, pay us $X." If the victim doesn’t pay, they may permanently lose access to the critical data and end up paying more in recovery costs than the ransom.
The term ransomware isn’t particularly creative, and it’s a reasonably straightforward concept to understand. But preventing ransomware attacks is a more complicated effort.
There are several reasons why prevention is difficult:
So what can be done to prevent or mitigate ransomware attacks?
Nearly every utility has some protection against ransomware in place. After all, ransomware is quite similar to other types of cyberattacks that have been around for decades. The most common protections include:
But both Ryan and Dave stressed that while these are helpful foundations, they are not sufficient to prevent ransomware attacks. Together, the experts detailed five actions that utilities can take to improve their protections.
They are the first people you’ll want to call when attacked, and it’s their job to help you prevent and mitigate cyber attacks. Opening a dialogue is as quick and easy as a phone call, but it’s worth knowing who you’re going to call if a crisis strikes.
If they don’t have one, the FBI can provide a checklist that your lawyers can review. Legal counsel is always your second call. Being prepped ahead of time can make it easier to make fast, informed decisions.
The easiest way into critical systems is via a poorly connected device (like a printer) attached to both IT and OT systems. Often utilities won’t even think about which devices are connected to both and whether they need to be. Protections can be as easy as buying a second printer to eliminate that IT-OT bridge.
People don’t want to publicly share that they’ve been hacked, but it happens often. There are ways to anonymize what happened while sharing lessons learned with others. Organizations like NRECA or IC3 have teams that do this – connecting with them can help you proactively identify threats and lower risks. Often it’s as easy as joining an email listserv.
Most utilities have a crisis response team. Ensure that yours has a plan in place for cyberattacks and that everyone at your organization knows who to contact. Identify ahead of time who is going to make the decision for whether or not to pay a ransom. Give them estimates of the business value of different data sets. Ultimately paying the ransom is a business decision – one you’ll be forced to make quickly and under pressure, so gather estimates ahead of time to make a well-informed decision.
Protecting against ransomware requires vigilance. There are no investments that can fully protect an organization. But each of these steps can help lower your risk profile and improve your ability to manage ransomware attacks.
We’re grateful to NRECA and Scot, Ryan, and Dave for sharing their perspective. We’ll keep our eyes (and ears) open for more great cybersecurity resources and share them on our blog. Subscribe now to receive the latest updates straight to your inbox.