- The website of the Public Utility Commission of Texas was "defaced" on Jan. 28 in a low-impact attack which exposed no sensitive information but highlights the cyber threat faced by power sector entities and their regulators.
- PUC officials confirmed that for a brief time the commission home page was obscured by a single banner reading "Hacked by Anonymous Iranian." They said no indication exists yet that the attack was perpetrated by Iran, but further caution is necessary given the recent escalation of tensions between Iran and the United States, according to Richard Henderson, head of global threat intelligence at cybersecurity firm Lastline.
- The Texas Department of Information Resources earlier this month awarded a new contract to Canon U.S.A for its line of software solutions and services, which includes "comprehensive security capabilities and features," according to the company.
"Defacement attacks" have little impact on an entity's operations but can call attention to security weaknesses while also acting as a harbinger of potentially greater intrusions, according to experts.
"Normally defacement attacks are low impact and high profile, with embarrassment being the biggest issue," Henderson told Utility Dive in an email.
The PUC should be "operating under the unlikely assumption that this attack was carried out by a much more skilled attacker [who] has used this highly overt defacement as an opportunity to burrow themselves inside their infrastructure," Henderson said. "A full forensic audit is going to be a must ... The stakes are far too high when it comes to the utility industry."
PUC officials are taking a hard look at the attack, but say there was scant impact.
"An ongoing forensic effort, in conjunction with the state's data center and the Department of Information Resources, has shown no indication of association with a nation state," PUC Director of External Affairs Andrew Barlow said in an email. "As the site contains no confidential information, nothing sensitive was compromised.”
Texas and its utility regulator are taking steps to improve the state's security profile. The state's Department of Agriculture faced a similar attack earlier this month.
According to Canon, its software solutions can equip Texas state government, education and local government entities "with the tools needed to help secure information, protect against threats ... and address suspicious activity. "
Texas utilities must already comply with federal security standards, including the North American Electric Reliability Corporation's existing Critical Infrastructure Protection standards. However, state regulators are considering creation of a cybersecurity monitor that would facilitate sharing best practices between Texas utilities.
"Many state PUCs are wrestling with the need to do something in this area," Sharon Chand, a principal with Deloitte & Touche's cyber risk services, told Utility Dive. "States are feeling the need to take some action, though certainly there are federal programs as well."