Hackers Are Targeting the Remote Workers Who Keep Your Lights On

In July alone, hackers took over the twitter accounts of U.S. politicians, stole terrabytes of coronavirus research and even infiltrated the U.K.’s Premier League soccer clubs. Can they cut off your electricity, too?

They’re trying. With millions of Americans now working from home –- including the people who help keep the grid running -- cyberattacks targeting the power sector have surged. In many cases, hackers use phishing emails to gain access to the computers of remote workers, looking to disable company systems for a ransom. But security experts warn that about dozen state-sponsored actors are also trying to infiltrate these networks.

The pandemic has created “a once in a lifetime opportunity to get access during a time of heightened remote access usage,” said Rob Lee, chief executive officer at industrial security firm Dragos Inc. “The bulk electric system is absolutely too important to allow adversaries access. It’s a matter of public safety as well as national security.”

Cyberattacks of all kinds have intensified during the Covid-19 pandemic, with hackers targeting public figures, banks, healthcare providers and others as the rise in remote work creates new access points. An assault on the power grid could have wide-ranging implications across sectors. While no outages have so far been attributed to hackers, grid companies are beefing up security amid an unprecedented onslaught that, in a worst case scenario, could trigger blackouts or damage vital equipment.

“Every major company in our industry gets attacked millions of times every day,” said Tom Fanning, chief executive officer of utility Southern Co. “But it is very clear there have been no interruptions in service on the electrical side.”

The Bowman Avenue Dam in Rye Brook, New York, was the target of 2016 cyberattack.

Photographer: Seth Wenig/AP Photo

Even before the pandemic, hackers succeeded in infiltrating some energy infrastructure. In 2016, an Iran-based hacker gained remote access to an electric dam in New York for weeks. Earlier this year, ransomware shut down a natural gas facility for two days.

The largest U.S. grid operator, PJM Interconnection LLC, recently told regulators it’s facing increasing attacks. In May, the U.K.’s grid data system was hacked, although electricity supplies weren’t affected. And in March, an attack against Europe’s association of grid operators, ENTSO-E, affected its internal office systems.

“If you notice an attack going on, it’s already too late,” said Andrea Carcano, co-founder of Nozomi Networks, which provides web security services for utilities and other industries.

Nozomi estimates that grid attacks have increased 35% since Americans began quarantining. That correlates with more electric-sector employees working from home. As an example, one U.S. utility that previously allowed only 9% of its power plants to operate remotely now allows 80% to do so, Carcano said.

“With people working from home, there’s an increased attack surface to go after,” said Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute.

Off-site Employees

In response to the onslaught, utilities are implementing heightened defense campaigns. That includes Avangrid Inc. and National Grid PLC, which provide power in New York and New England.

“We’ve increased our vigilance and focus since the start of the pandemic to ensure our employees working outside the office continue to access our systems in a safe and controlled manner,” said Edward Crowder, an Avangrid spokesman. He declined to share specific actions the company is taking, citing security.

Before National Grid moved thousands of employees off-site, “we ensured that our systems could accommodate this change, and that there would be no impact to our security controls,” said spokeswoman Molly Gilson, without elaborating on particular measures the company took.

PJM declined to comment on how it’s making its systems safer, but its Senior Vice President of Operations Mike Bryson told regulators in June that “PJM’s remote access infrastructure was already prepared both for the capacity needed for remote operations and for the security configuration needed to protect PJM while in remote operation.

Still, intrusions can happen, and even the most tightly guarded systems can be taken down.

“Yes, it could happen,” said EEI’s Aaronson. “You could get in and move laterally but it would be very, very difficult to do so without people noticing anomalies.” He said he’s been on regular calls with utilities, the Department of Homeland Security and the White House since February to share information on potential threats.

U.S. Hacking

The recent attacks have focused on corporate computer systems rather than the ones that run the physical operations of power plants and grids. The latter are overseen by engineers, many of whom were, until recently, isolated in strictly protected control centers for weeks at a time due to the pandemic.

But it’s happened elsewhere. Hackers believed to be linked to Russia hit Ukraine’s grid in 2015, cutting power to 230,000 people. Last September, malware affected an Indian nuclear power plant. And since at least 2012, the U.S. government has worked to penetrate Russia’s electric power grid in a warning to President Vladimir Putin.

“Although North America has not experienced similar attacks,” Dragos said in a January report, bad actors “exhibit the interest and ability to target such networks.” Dragos highlighted a group of state-sponsored hackers linked to Iran that have carried out so-called “password spraying campaigns” on U.S. oil, gas and electric infrastructure.

“Electric sector community members should be more proactive than ever before,” Lee said. “But that doesn’t mean the public should be freaking out.”

(Updates with Southern CEO comments in fifth paragraph.)

--With assistance from Rachel Morison.

To contact the reporters on this story:
Christopher Martin in New York at cmartin11@bloomberg.net;
Gerson Freitas Jr. in New York at gfreitasjr@bloomberg.net

To contact the editors responsible for this story:
Joe Ryan at jryan173@bloomberg.net

Catherine Traywick, Stephen Cunningham

© 2020 Bloomberg L.P. All rights reserved. Used with permission.