Dec 8, 2021
91 Views
0 0

A month after 'malicious' cyberattack, a small Colorado utility still doesn't have all systems back online

Written by

First published on
DMEA is a small power utility, serving about 35,000 meters. But the size of a utility has little to do with its vulnerability, according to security experts, as hackers grow more sophisticated.
“Given that Colonial Pipeline had a similar attack, it demonstrates all size utilities are vulnerable to phishing and/or password re-use mishaps,” Lila Kee, GM for GlobalSign’s North and South American operations, said in an email. GlobalSign is an identity services company offering cloud-based solutions.
While DMEA has not published details of the attack, Kee said those are the likely attack vectors. “The difference between smaller utilities and larger ones is more post-attack, and their ability to respond and contain,” she said. 
Colonial, the largest refined products pipeline in the United States, was back online less than a week after a May ransomware attack forced it to shut down. The company paid a roughly $4.4 million bitcoin ransom to speed the recovery.
Security experts say the prevalence of ransomware attacks means no utility is safe — and data backups are an essential part of response planning.
“Any company, at any size, is a target,” Mark Carrigan, SVP of process safety and OT cybersecurity at Hexagon PPM, said in an email. “In-depth defense strategies need to be implemented regardless of size. But having a thorough back-up/restore strategy as part of the business continuity plan is possibly most important.
“Multiple redundancy of stored proprietary information is critical to ensure you meet or beat your recovery time objective,” he added. DMEA’s month-long recovery time “is evidence that a gap exists with current backup systems and processes.”
DMEA, in a Nov. 29 update to its customers, said that as a result of the attack the utility “lost 90% of internal network functions, and a good portion of our data, such as saved documents, spreadsheets, and forms, was corrupted. It also impacted our phones and emails.”
DMEA also said that this week “we tentatively estimate we will be able to begin accepting member payments via SmartHub and our payment kiosks … we also tentatively estimate we will be able to resume member billing.”
The resumption of those bills “will result in members receiving multiple energy bills close together,” DMEA warned. But despite the disruption, the utility’s power grid and fiber network “remain unaffected by the incident.”
That means DMEA “followed a cardinal principle for critical infrastructure: Complete separation of the IT and OT networks, so there is no direct logical path by which an infected IT system might infect the OT network,” security consultant Tom Alrich said in an email.
Security experts say they expect more information on the attack will come out, helping to protect critical infrastructure and in particular smaller providers. 
“The electric sector has a track record of mutual assistance and sharing lessons learned and I’d expect to hear more in the coming weeks on overall impact from what seemingly sounds like a ransomware attack,” Dragos Vice President of Professional Services and Research and Development Ben Miller said in an email.
“This is especially important for fellow co-ops who work with very constrained budgets and resources,” Miller said.
NRECA has two programs in place to help member utilities remain secure: the Rural Cooperative Cybersecurity Capabilities program provides educational cybersecurity tools and resources to cooperatives, and the anomaly-detection platform Essence can warn of possible network breaches in real time.
“Our work to maintain and strengthen the cybersecurity of the grid is reflected in both of the above programs, and in our ongoing partnership with the Biden administration as part of their 100 day [industrial control system] initiative,” Stephen Bell, NRECA senior director of media and public relations, said in a statement.
Follow on Twitter
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.