- The Wall Street Journal has identified several utilities targeted in a hacking campaign on the power sector earlier this year. They include smaller and regional public power entities that were often located near critical infrastructure.
- Security firm Proofpoint in September concluded more than a dozen utilities were targeted in a sophisticated phishing scheme dubbed "LookBack." None of the attacks were successful and some utilities were unaware of the attempt, according to the Journal.
- But security experts say smaller electric utilities may pose an oversized threat to the electric grid, as they often lack the robust cybersecurity infrastructure of larger investor-owned utilities.
Included in the Wall Street Journal's list of targeted utilities are some you may have never heard of: Klickitat Public Utility District in Washington, Basin Electric Power Cooperative in North Dakota, Cloverland Electric Cooperative in Michigan, Wisconsin Rapids Water Works and Lighting Commission and Flathead Electric Cooperative, which serves members on the Montana-Wyoming border.
Some of the utilities were unaware of the attacks until the Federal Bureau of Investigation told them they had been targeted, according to the Journal.
The Journal's report "suggests that this effort was more than just the typical campaign of nation-state efforts against the major U.S. electric sector providers," Jamil Jaffer, IronNet Cybersecurity's vice president of strategy, partnerships and corporate development, told Utility Dive.
Rather, said Jaffer, it appears LookBack was a "focused campaign aimed at the smaller providers in the country targeting key resources and critical infrastructure assets." He said attackers likely wanted to determine whether access was possible and, if so, "what they might be able to get."
For example, Cloverland Electric is near the Sault Ste. Marie Locks, essential infrastructure for U.S. shipping between Lake Superior and the lower Great Lakes.
"Utilities of all sizes are at greater cyber risk than ever before," Eddie Habibi, CEO and co-founder of security firm PAS Global, told Utility Dive in an email. The LookBack attack "is yet another example of the increasing threat they face."
Habibi said the electric grid is an "expanding attack surface" due to rapid digitalization and connectivity between utility systems.
Emails sent to utilities claiming to be from the U.S. National Council of Examiners for Engineering and Surveying contained the LookBack malware. The level of specificity in the claim and targeted emails suggest this was an "advanced phishing campaign," Proofpoint said.
Both Jaffer and Habibi say smaller utilities are at a security disadvantage."Smaller regional utilities may have been lulled into a sense of greater safety based on their size as compared to larger utility providers," Habibi said. "But the reality is that they are just as much at risk and, to a certain extent, even more so because they often lack the level of investment in cybersecurity personnel and tools that larger providers have in place."
Smaller public power providers, rural electric utilities and cooperatives "may often face an uphill battle combating nation-state efforts, even more so than larger provider who also sometimes find themselves up against their match," according to Jaffer.
The solution, he said, absent the federal government providing direct defense, is for large and small providers to work with one another to share threat behaviors in real-time "to create a collective defense capability that leveraged the knowledge and skills of key players in the electric power ecosystem."
But the American Public Power Association disputes the idea that smaller utilities are more vulnerable, and said reaction to the LookBack attack was largely overblown.
"This was nothing more than an IP phishing attack," APPA Senior Vice President of Engineering Mike Hyland told Utility Dive. "This is something we see in various forms on a daily basis.
"The public power sector works with the Department of Energy on a daily basis, said Hyland, and shares information through the North American Electric Reliability Corp.'s Electricity Information Sharing and Analysis Center as well as the Multi-State Information Sharing and Analysis Center.
"We take this really seriously," said Hyland. But as for the focus on LookBack, "We're kind of perplexed."