In July alone, hackers
They’re trying. With millions of Americans now working from home –- including the people who help keep the grid running -- cyberattacks targeting the power sector have surged. In many cases, hackers use phishing emails to gain access to the computers of remote workers, looking to disable company systems for a ransom. But security experts warn that about dozen state-sponsored actors are also trying to infiltrate these networks.
The pandemic has created “a once in a lifetime opportunity to get access during a time of heightened remote access usage,” said
Cyberattacks of all kinds have intensified during the Covid-19 pandemic, with hackers targeting public figures, banks, healthcare providers and others as the rise in remote work creates new access points. An assault on the power grid could have wide-ranging implications across sectors. While no outages have so far been attributed to hackers, grid companies are beefing up security amid an unprecedented onslaught that, in a worst case scenario, could trigger blackouts or damage vital equipment.
“Every major company in our industry gets attacked millions of times every day,” said
Even before the pandemic, hackers succeeded in infiltrating some energy infrastructure. In 2016, an Iran-based hacker gained remote access to an
The largest U.S. grid operator,
“If you notice an attack going on, it’s already too late,” said
Nozomi estimates that grid attacks have increased 35% since Americans began quarantining. That correlates with more electric-sector employees working from home. As an example, one U.S. utility that previously allowed only 9% of its power plants to operate remotely now allows 80% to do so, Carcano said.
“With people working from home, there’s an increased attack surface to go after,” said Scott Aaronson, vice president of security and preparedness at the
In response to the onslaught, utilities are implementing heightened defense campaigns. That includes
“We’ve increased our vigilance and focus since the start of the pandemic to ensure our employees working outside the office continue to access our systems in a safe and controlled manner,” said Edward Crowder, an Avangrid spokesman. He declined to share specific actions the company is taking, citing security.
Before National Grid moved thousands of employees off-site, “we ensured that our systems could accommodate this change, and that there would be no impact to our security controls,” said spokeswoman Molly Gilson, without elaborating on particular measures the company took.
PJM declined to comment on how it’s making its systems safer, but its Senior Vice President of Operations
Still, intrusions can happen, and even the most tightly guarded systems can be taken down.
“Yes, it could happen,” said EEI’s Aaronson. “You could get in and move laterally but it would be very, very difficult to do so without people noticing anomalies.” He said he’s been on regular calls with utilities, the
The recent attacks have focused on corporate computer systems rather than the ones that run the physical operations of power plants and grids. The latter are overseen by engineers, many of whom were, until recently, isolated in strictly protected control centers for weeks at a time due to the pandemic.
But it’s happened elsewhere. Hackers believed to be linked to Russia hit Ukraine’s grid in 2015, cutting power to 230,000 people. Last September,
“Although North America has not experienced similar attacks,” Dragos said in a January report, bad actors “exhibit the interest and ability to target such networks.” Dragos highlighted a group of state-sponsored hackers linked to Iran that have carried out so-called “password spraying campaigns” on U.S. oil, gas and electric infrastructure.
“Electric sector community members should be more proactive than ever before,” Lee said. “But that doesn’t mean the public should be freaking out.”
(Updates with Southern CEO comments in fifth paragraph.)
--With assistance from
To contact the editors responsible for this story:
Catherine Traywick, Stephen Cunningham
© 2020 Bloomberg L.P. All rights reserved. Used with permission.