America’s utilities are on high alert due to an elevated threat of cyberattacks. Hacking, ransomware, and data breaches have been longstanding concerns, but rising tensions since Russia’s invasion of Ukraine in late February have moved cybersecurity to the top of the agenda for electricity, gas, and water operations.
The Biden administration has warned U.S. companies and critical infrastructure that Moscow could launch attacks in retaliation for U.S. sanctions imposed in response to Russia’s action in Ukraine. The administration said in March that the federal government was prioritizing the protection of “lifeline sectors” including energy and water.
While no major cyberattacks materialized in the weeks immediately after the Ukraine invasion, federal investigators in March detected Russian IP addresses scanning for vulnerabilities in the networks of five U.S. energy companies along with 18 other companies, likely in preparation for an attack. In April, the U.S. government said it secretly removed malware from computer networks around the world to pre-empt Russian cyberattacks. Russia was also responsible for a cyberattack against Ukraine’s grid in April that sought to cut power to 2 million people, Ukrainian officials said.
These incidents and government warnings have prompted extra vigilance from U.S. utilities. The 537,000 workers in the sector play a crucial role in defending against cyberattacks. UWUA has long recognized the issue of infrastructure vulnerability and passed a resolution at our 31st Constitutional Convention in 2019 calling on utilities and grid operators to “safeguard the privacy of consumers’ data; create a culture of constant cyber vigilance; share information with each other and appropriate authorities about existing and emerging threats; and to ensure they have the resources to acquire the requisite tools to accomplish these additional tasks, and staff and train accordingly.”
Number of hacking attacks grows sharply
The standoff between the West and the Kremlin over its aggression in Ukraine immediately raised concern about Moscow-directed cyberattacks because Russia has a history of successful cyberwarfare in prior conflicts as well as government-supported cyberattacks against targets in the West.
These include the following incidents:
- After its occupation of Crimea in 2014, Russian knocked out power in parts of Ukraine in 2015 and 2016 with cyberattacks.
- Kremlin-linked hackers started the NotPetya ransomware campaign in Ukraine in 2017. It eventually spread around the world and caused billions of dollars in damages.
- Russia-based criminals in 2021 penetrated the network of U.S. oil pipeline operator Colonial Pipeline with ransomware. The company shut down its systems to contain the damage, causing gasoline shortages in the Southeast.
- An unidentified hacker penetrated the controls of a Florida water treatment plant in February 2021 and dangerously altered chemical levels. A watchful plant employee saw the hack and immediately reversed the change before harm occurred.
- Three Russians are accused of a five-year campaign to hack the Wolf Creek nuclear plant in Kansas aimed at being able to disrupt and damage its systems in the future, an indictment unsealed in March said.
According to NextGov.com, 10 percent of ransomware attacks on industrial targets were against electric utilities between 2018 and 2020, and the number of ransomware attacks on utilities has increased 50 percent in the past two years.
Across all industries, cyberattacks increased 50 percent year over year in 2021, with the average organization facing 925 cyberattacks per week, according to Check Point Research.
Vital role of utilities makes them targets
Utilities are high-priority targets because disrupting their operations would cause widespread chaos. For example, the interconnected nature of the U.S. electric grid means that coast-to-coast blackouts could be triggered by knocking just nine substations offline, a report by the Federal Energy Regulatory Commission found, according to a “60 Minutes” broadcast in February.
Many utilities, especially in the electric sector, say they are well prepared to deal with cyberattacks after years of work to improve their readiness. But industry experts say this critical infrastructure remains vulnerable because of the constantly evolving techniques of hackers, the increased use of embedded digital sensors and controls that offer new entry points, the sheer number of utilities across the country, and interconnections in the power grid and among pipelines. This means that even a utility with strong defenses can suffer the consequences of a cyberattack if it causes cascading failures among connected entities.
“What we’ve never had is a national-scale blackout, which is completely possible under some known threats such as the cyber threat…The U.S. public is completely unprepared to survive without the electric grid for any period of time whatsoever,” Mike Mabee, an expert on grid security and emergency preparedness, told “60 Minutes.”
While water utilities are not linked in this way, attackers may find the opportunity to sow widespread fear irresistible. “Since water and wastewater provide the most basic service for daily survival, they are attractive targets,” John Sullivan, chief engineer at Boston Water and Sewer Commission and chair of WaterISAC, an organization that shares threat information for the water sector, told Water Finance & Management. “The best way to look at it is that all critical infrastructure is vulnerable, even the most well-financed and technically sophisticated.”
Utilities have varying levels of readiness
The strength of utilities’ defenses varies widely. Major utilities in large and urban areas and investor-owned utilities have significant financial resources and capacity to prepare. But many utilities are small, without comparable staff and budgets and therefore face greater challenges in thwarting attacks. For utilities both big and small, the Biden administration has actively promoted cybersecurity initiatives, so efforts are underway to increase and maintain defenses.
But no system is impenetrable in the face of unrelenting efforts to infiltrate, cybersecurity experts say. The odds over the long-term favor hackers, who are continuously probing for weaknesses and deploying new methods.
“If Russia as a nation-state decided it wanted to attack the national infrastructure of the U.S., including what I’m responsible for, I don’t have much chance of stopping them,” Peter Fletcher, the information security officer for the San Jose Water Company, which is part of a group that manages water services in several states, told the New York Times in April. “The entire Russian nation-state versus Peter? I’m going to lose.”
Most serious threats exploit human error
While Russia will pursue ever more sophisticated techniques, cybersecurity experts say the greatest threat is hacking methods that are already common. These often exploit human fallibility such as with phishing email campaigns that trick people into disclosing their passwords. So-called social engineering techniques like phishing were used in 86 percent of utility system breaches in 2021 while ransomware accounted for 44 percent of the remainder, a Verizon analysis found.
Other significant threats include malware, which is software covertly installed by hackers that performs harmful actions. These include deleting and corrupting data and taking command of industrial controls. Much of the operational technology currently in use at U.S. utilities was implemented decades ago and is not equipped for continuous security monitoring or other current cybersecurity practices, so utilities have had to play catch up.
Cybersecurity specialists urge gas, water, and electric utilities to prioritize certain defensive measures in this threat environment. These include:
- Training to increase employee awareness of their role in stopping attacks such as by using strong passwords and spotting signs that hackers have compromised systems.
- Multi-factor authentication, which requires users to pass a second credential verification to gain access to the network such as by entering a code that arrives by text message.
- Robust spam filtering to block phishing emails.
- Frequent software updates and installation of patches to close newly identified vulnerabilities.
- Running regular system backups that are not stored on the network.
- Installation of anti-virus and anti-malware programs.
- Use of a threat intelligence service.
- Strong monitoring systems so that a utility detects a cyberattack early.
- Partnerships and collaboration for information sharing with other utilities.
Perhaps the most important element in a utility’s strategy is its plans for dealing with an attack, cybersecurity experts advise. A detailed playbook should be ready and guide employees through the immediate response to an attack and subsequent recovery. Utilities should run drills of cyberattack emergency plans and have outside specialists test systems for vulnerabilities.
The role of workers in defending against cyberattacks
Understanding workers’ significant role in detecting and thwarting cyberattacks on the frontlines, UWUA has been vocal in urging members who spot problems to sound the alarm.
While Russia’s action in Ukraine has lent new urgency to cybersecurity at utilities, experts stress the unpredictability of hacking attacks and note that other preexisting threats have not diminished. Governments such as China, Iran and North Korea as well as hackers operating with shadowy government support, criminal gangs, and extremist groups both foreign and domestic have active cyberattack efforts, security specialists say.
Even if the Ukraine conflict recedes from the headlines, the need for heightened readiness at America’s utilities will endure as other threats emerge. Workers like the quick-thinking Florida water plant employee who detected a hacker’s potentially lethal system changes will remain a critical part of defending our nation’s infrastructure.