On March 5, parts of the energy grids in California, Utah and Wyoming were affected by a suspected cyber attack. Details of the incident are patchy, but the cyber attack is thought to be the first to successfully disrupt operations within the US power grid.
There were no reported blackouts in what the US Department of Energy recorded as a “cyber event”. However, the incident used a known vulnerability to carry out a “denial-of-condition” attack against industrial control systems supplied by one particular US technology company.
The attack reportedly disrupted supervisory control and data acquisition (SCADA) systems for around five hours, although power companies remained in control of the grid.
Successful cyber attacks against power companies and grids are rare. In December 2015, a cyber attack crippled part of Ukraine's power grid, believed to be the first cyber attack known to have caused a blackout.
Earlier this year, Venezuela said cyber attacks had caused a series of blackouts in the country, although the claims were disputed.
Last year the US government issued an alert alleging that Russian hackers had conducted a two-year campaign of cyber attacks against the US power grid, as well as other critical infrastructure.
According to the alert, hackers used phishing attacks and malware to gain access into energy sector networks and carry out reconnaissance.
Cyber Security consultant F-Secure recently identified nine attack groups or techniques currently targeting industrial control systems in energy companies.
One of the attack groups, the BlackEnergy Group, uses malware to gain control of SCADA systems used by power generation and distribution companies.
Another group, known as APT33, has been linked to a cyber attack against an Italian oil and gas company in December 2018, as well as previous attacks against energy companies in the Middle East.
A recent report by the Ponemon Institute concluded that cyber attacks against operational technology (OT) used in critical infrastructure are now “relentless and continuous”.
Almost all of the 701 security professionals in the OT sector, surveyed by Ponemon, had experienced a cyber attack, while most had suffered a data breach and/or significant disruption to business.
Some 90% of companies surveyed said they had been hit by a damaging cyber attack in the past two years, while 62% experienced two or more attacks.
Attacks against OT were also among the most feared threats in the survey – some 63% said an attack involving IoT or OT assets was of most concern, just below the most feared threat of third party misuse or unauthorised sharingof confidential data (65%).
More than one-fifth (21%) of OT sector organizations list a nation-state attack as one of their top threats.
More than half of those surveyed had experienced an attack that resulted in downtime to plant and/or operational equipment; while 53% reported that an employee succumbed to a phishing scam resulting in credential theft in the past two years.
Almost half (45%) had experienced an attack against IoT or OT assets, while over a third (37%) experienced significant disruption to business processes caused by malware.
Almost a quarter (23%) believed they had been affected by nation-state attacks and 21% had been targeted by ransomware or cyber extortion.
On a more positive note, the Ponemon survey found high levels of executive involvement with the evaluation of cyber risk (60% of respondents report that C-level executives are involved).
Almost half (48%) took steps to quantify risk from cyber events, of which 50% said downtime of OT systems is the biggest factor used to quantify risk.
However, only 20% felt they had sufficient visibility into their organization’s attack surface.