Officials at the US Department of Homeland Security (DHS) confirmed yesterday to The Wall Street Journal that state-sponsored hackers successfully gained remote access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The report describes the activities as part of a long-running campaign targeting US utilities and suggests that the attacks are still ongoing. This is not the first time that a federal government agency has publicly confirmed the actual or potential threat posed by hackers to critical infrastructure (see our previous post on state-sponsored attacks). Instead, it marks yet another confirmed instance of hackers gaining access to the secure networks used by industrial control systems in what has become a disconcerting trend in recent years, and continues to underline the importance of strong vendor and supply chain cybersecurity controls.
The attackers reportedly gained access to the utilities’ secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information. DHS did not specify the types of grid infrastructure that were implicated by the ongoing hack (i.e., transmission, distribution, or generation facilities), or shed light on the full scope of the breach beyond indicating that there were “hundreds of victims” last year alone. It is possible the hackers limited their activities to information gathering in preparation for a larger, more destructive attack in the future.
Given the sustained pace of cyberattacks on industrial control system operators in recent years, electric utilities should expect greater scrutiny by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) on their compliance with the Critical Infrastructure Protection (CIP) reliability standards. Supply chain and vendor integrity issues will likely take center stage in the near term.
Earlier this year, FERC initiated a rulemaking proceeding to adopt NERC’s new and modified reliability standards focused on supply chain risk management that will trigger changes to utilities’ vendor procurement processes. Specifically, utilities will need to demonstrate that their purchasing activities meet the minimum cybersecurity criteria outlined in the new standards. As a result, those companies providing goods and services to electric utilities will also need to adapt to the new requirements in order to demonstrate that they can assist electric utilities in meeting these compliance obligations. Based on the confirmed reports from DHS that vendor relationships are being continually exploited to compromise electric utility networks, it is possible that FERC will seize upon the opportunity to direct further changes to the supply chain risk management requirements (particularly reliability standard CIP-013-1) that are currently under consideration.