August 27, 2020
By Lisa Martine Jenkins
As the societal disruptions of 2020 continue to pile up, cyberattackers have taken advantage of the chaos, with certain types of attacks against utilities spiking five-fold in recent months, according to data provided to Morning Consult by the analytics firm NETSCOUT. Those who work in and with the utilities themselves, however, have expressed little concern about this surge, reporting that the cyber threats have not impacted their security of service.
NETSCOUT, which maintains a Cyber Threat Horizon tracker in real time, recorded 1,780 “distributed denial-of-service” attacks against utilities worldwide between June 15 and Aug. 21, representing a 595 percent year-over-year increase. A DDoS attack uses multiple platforms in an attempt to flood a target’s system and render it unavailable, often through repeating a request or ping to such a degree that a target — in this case a utility — is overwhelmed.
The marked increase in DDoS attacks on utilities worldwide, including both electric and gas systems, have come amid the coronavirus pandemic and other sources of upheaval, as measured by the attacks’ frequency, volume and speed. And DDoS is not the only type of cyberattack on the rise: The Federal Bureau of Investigation recently warned the U.S. energy sector of a new hacking threat from the Russian hacker group known as APT28, or Fancy Bear, that has used a wide range of approaches.
Roland Dobbins, principal engineer for NETSCOUT’s security division Arbor Networks, attributed cyberattacks writ large to a number of potential motivations, including ideological, geopolitical, extortive, destructive and even nihilistic ones.
“Some people just love to cause harm, and what better way to do so than being able to shut down power for thousands or tens of thousands,” Dobbins said in an email.
While cyberattacks tend to increase annually by all measures simply as a function of the advancement of the technology and sophistication of the criminals, this year’s jump in attacks has been unprecedented. According to exclusive analysis provided to Morning Consult from Dobbins’ colleague Richard Hummel, who manages threat research for Arbor Networks, 2020 has so far seen double the attacks that 2019 did — roughly 3,100 through Aug. 21 compared with about 1,500 during the same period last year.
The attackers have also upped both the bandwidth size and the speed of their attempts. One entity in the Netherlands saw an attack of 88.4 gigabytes per second — in contrast with the 2019 maximum of 21.1 Gbps — while another in Italy faced an attack with a throughput of 11 million packets per second, up from the 2019 maximum of 5 Mpps.
Brandon Robinson, a partner at Balch & Bingham LLP in Birmingham, Ala., who focuses largely on utilities, said the sector has always been a target of cyberattacks.
“Whether one’s motivation is to do financial, economic, national security or industry harm, critical infrastructure such as the electric grid can be a natural target for such cyberattackers,” he said.
And citing the North American Electric Reliability Corp.’s 2019 report, Robinson added that the industry has consistently done a good job of defending itself “and are continuing to be vigilant in doing so as threats emerge and evolve.
Meanwhile, Sharon Chand, a principal with Deloitte & Touche LLP’s cyber practice who focuses on critical infrastructure protection, said that a year-over-year increase in these attacks is very normal, though things have “certainly taken a steeper climb over the last several months.” She sees this as likely the result of a combination of factors contributing to a “heightened sense of disruption”: the global pandemic, economic uncertainty and even more time on the hands of the attackers.
Robinson also said an increase in attacks on the power sector could be impacted by more concrete changes to the grid itself, divorced from society’s climate of uncertainty.
“The electric grid is also evolving,” he said, “as we see an evolution from larger, more centralized resources to more distributed resources, and virtualized, remote control of those resources, which call for and have led to adaptation in the way that connectivity between and control of grid resources is protected.”
However, the reaction from utilities has largely been detached. John Di Stasio, president of the Large Public Power Council, acknowledged that attacks “may have increased in 2020” but said that utilities are regularly planning for disruptions and even participating in drills to identify and mitigate risks. Edison Electric Institute, a leading trade group representing U.S. investor-owned electric companies, did not respond to a request for comment.
“Despite the increase, LPPC members were and continue to be well-prepared to deal with these threats,” Di Stasio said, in reference to the consumer-owned utilities that make up the trade association. “Cybersecurity risk will continue to evolve, requiring our defense capabilities to evolve accordingly.”
Chand points out that, especially as the grid evolves to utilize diverse energy sources, including certain types of renewables, redundancies are built into its system to provide consistent power to consumers: If it is not a windy day, for instance, a utility that typically uses wind power can rely more on its nuclear or coal assets. Analogous redundancies protect the system from cyberattacks: “As one piece of the grid may experience a challenge, the grid is built in a way to accommodate that,” she said.
However, industry-wide analysis indicates that by some measures, cyber threats are shifting faster than the industry can respond. An October 2019 survey from Siemens AG and the Ponemon Institute of utilities professionals worldwide found that operational technology, rather than informational technology, was particularly vulnerable to cyberattacks, and that 56 percent report at least one shutdown or operational data loss per year. Less than half (42 percent) rated their “cyber readiness,” or their capabilities as compared with anticipated attacks and known preparedness gaps, as high. And smaller organizations reported that they felt less confident in their cyber capabilities than their larger counterparts.
“Attackers become more motivated, attackers become more creative, they become more automated,” Chand said of the pattern of increased attacks. “And so, to a large extent, we expect to see an increase in the numbers of threats — denial-of-service attacks or others — facing all of our clients across the business every year. And I think we’re not going to see it go down anytime soon.”