Identifying and closing cyber vulnerabilities before malicious actors can take advantage of gaps in utilities’ security must be a high priority, a panel of representatives from the Department of Energy and two public power utilities said during a session at APPA’s National Conference in San Diego, Calif., last month.
“Threat actors are very, very interested in the utility industry,” DOE Office of Cybersecurity, Energy Security, and Emergency Response Deputy Director Mara Winn said in opening the session.
Bad actors — particularly nation-states like China — recognize the leverage derived from access to critical infrastructure like water and power, especially given the ripple effect of any disruption to those services. Putting it more simply, Winn said, “Cybersecurity is a safety issue.”
Panelists stressed the need for utilities to communicate the consequences of potential attacks to vendors or other managed service providers. “Most people do not operate in the risk mindset that [utilities] have to operate in,” Winn added.
For Littleton Electric Light & Water Department in Massachusetts, this need to embrace a cyber-hardened mindset was put to the test last year when a managed service provider failed to maintain the necessary standards and the utility was subjected to a cyber-attack, Littleton General Manager Nick Lawler said. Threat actors took advantage of a firmware vulnerability on the utility’s firewall, gaining full access to the system and granting themselves administrator credentials.
Littleton has since worked with the FBI and the Department of Homeland Security to address the security breach, and the utility also received funding from APPA through a cooperative agreement with DOE to deploy sensor technology on Littleton’s system.
[At the national conference, Lawler was installed as chair of APPA’s Board of Directors].
The situation in Littleton was a result of Volt Typhoon, a state-sponsored, China-based hacker group that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has said is “pre-positioning itself on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
Volt Typhoon’s infiltrations are often difficult to detect, as they are rarely identifiable through anything other than odd usage characteristics, such as someone logging in during the middle of the night or accessing information far outside their purview.
Moreover, once the group has obtained access, it can lie dormant for months at a time, often without ever being detected. Lawler noted the difficulty this creates when attempting to be certain that Volt Typhoon’s entry points have been eradicated.
Cyber-attacks from Volt Typhoon have been detected within multiple parts of critical infrastructure across numerous sectors, with the energy sector seeing small and large utilities hit.
When asked how utilities can better vet new vendors or defend themselves against potential threats, Nebraska Public Power District President & Chief Executive Officer Tom Kent noted the value of engaging and integrating with peers, whether with industry, local government, or law enforcement, to facilitate information sharing and awareness.
He suggested utilities join the North American Electric Reliability Corporation’s E-ISAC and the Center for Internet Security’s MS-ISAC, in addition to advising utilities to test themselves against industry frameworks and learn from any identified problem areas.
Kent and NPPD also help host an annual, weeklong joint cyber training — Cyber Tatanka — with other Nebraska utilities, as well as representatives from sectors including healthcare, banking, universities, and the national guard.
Lawler reiterated that there is a need for utilities to be more open with one another. “Share your story,” he said. “Whether cyber or physical, the more we share with each other, the less risk we’ll have and the more prepared we will be.”
Winn added that there are additional resources available through DOE, including $250 million for utilities through the Rural and Municipal Utility Cybersecurity program. Interested utilities can email CESER.RMUC@DOE.gov to be put on a list for information on all open or upcoming funding opportunities. DOE has also hosted workforce development training, where they have provided training for more than 170 staff from 60 utilities.
Likewise, APPA members will have access to additional cybersecurity resources thanks to a new cooperative agreement with DOE CESER. The APPA Cyber Pathways Program will provide training, assessments, and a new cybersecurity designation for members. and can take part in a free cyber exercise, dubbed Safe Haven, to take place next year.
For more information, contact Cybersecurity@PublicPower.org.
