The utility sector, including electric, gas and water companies, has a growing ransomware problem, say security experts.
Ransomware is a type of financially-motivated malware, which steals or locks up a company's data or computing systems until the victim pays a fee to the hacker. And it is quickly becoming more common across the economy, as deploying the malware becomes easier and hackers learn to right-size their demands.
"It's a volume business. A volume, low-margin business," said Miles Keogh, executive director of the National Association of Clean Air Agencies. He advised state public utility commissions on cybersecurity issues until 2017.
While there have been a few high-profile cases where companies paid large ransoms to recover their data or systems (Garmin reportedly paid millions this summer), experts say more frequently smaller cases are resolved quietly, including some utilities.
"As you can imagine, a lot of organizations, if they pay, they keep it under cover. It's difficult to understand if a victim paid or did not pay — but we are seeing an increase in the number of victims."
Israel Barak
Chief Information Security Officer, Cybereason
Victims of ransomware are reticent to talk. The Reading Municipal Light Department in Massachusetts acknowledged earlier this year it had been hit by ransomware. The utility declined to discuss the attack, saying in a statement “the RMLD implements best utility practices.”
The Lansing Board of Water & Light in Michigan in 2016 paid a $25,000 ransom to unlock some of its communication systems. The utility declined to comment on the incident.
"As you can imagine, a lot of organizations, if they pay, they keep it under cover. It's difficult to understand if a victim paid or did not pay — but we are seeing an increase in the number of victims," said Israel Barak, chief information security officer at Cybereason, a Boston-based security firm, referring to utilities and other companies.
Attacks are on the rise — and so are ransom demands
The Edison Electric Institute, which represents investor-owned utilities, said it has seen "an uptick in attempted attacks" in part related to the COVID-19 pandemic, but added that its members are "prepared to mitigate and manage the extra risks." The group did not address whether ransomware costs could be passed on to consumers.
The National Rural Electric Cooperative Association did not address ransomware questions but said generally that its members "remain vigilant against cyber threats and those who might perpetuate them."
Cybereason in June warned utility ransomware attacks were becoming more sophisticated. The company ran a "honeypot" operation where it created a fake industrial control network designed to look like an electricity company — and watched as hackers broke in within three days.
In particular, Barak said he sees an increase in complicated, multi-stage ransomware attacks that can paralyze entire networks and enterprises while simpler attacks focused on individuals are declining.
"We went a long time without having any power companies here attacked, even though there were cyber attacks of a nation-state origin happening between countries."
Miles Keogh
Executive Director, National Association of Clean Air Agencies.
"For the last two to three years, ransomware has been at the top of everyone's list of threats companies are facing," said Bob Parisi, U.S. cyber product leader for Marsh, a global insurance broker and risk adviser.
Parisi helps customers, including utilities, procure insurance plans that cover cybersecurity and data extortion.
"What we've seen in the last couple of years is that ransomware is more prevalent and more damaging" than other forms of hacking, said Parisi.
And, Parisi said, the average ransom payment he sees is up 30% over the last year, to about $110,000. But more ransoms, paid without the help of an insurance company, are likely much smaller.
While EEI has seen an increase in attacks, it's not clear how many utilities have been hit by ransomware. Parisi said of companies suffering a ransomware attack in 2020, as many as 10% — or as few as 2% — may have been utilities.
"Utilities are right there at the forefront of risk," said Parisi. "No one is immune, largely because it's a fairly effective exploit."
There have been relatively few hacks in the U.S. utility sector that caused significant damage — so far. But ransomware threatens to change that, said Keogh.
Nation-state actors have had these kinds of hacking capabilities — including the ability to disrupt power grids — for years, said Keogh. But because the United States generally had stronger cyber capabilities, the attacks were rarely attempted.
"If you flipped the switch here, you'd get a non-proportional response that would be really bad," he said. But with financial gain rather than disruption as the primary goal of ransomware, the number of potential bad actors has suddenly exploded.
"The people who could screw with critical infrastructure, especially the power system, were not motivated to do it because it was mostly nation-states or folks aligned with nation-states who were kind of disavowable," said Keogh. "We went a long time without having any power companies here attacked, even though there were cyber attacks of a nation-state origin happening between countries."
"The hope is that if the worst does happen and a utility ... gets ransomed, they have protections in place to recover without having to pay the bad guys."
Tony Turner
Vice President of Security Solutions, Fortress Information Security
Ransomware, however, "aligns the means and motives," Keogh said. "It's not motivated by geopolitics ... it's literally motivated by folks who just want to get paid out."
And now, attacks on companies are happening all the time. And when a hacker is successful, the demand — depending on the victim — can be as low as a thousand or a few hundred dollars. For most companies of any size, paying the ransom is cheaper than lost productivity and output.
"Everyone says don't pay the ransom," Keogh said. But he also said that depending on the business and what type of impact the malware is having, "I can imagine the temptation to just pay the ransom. That pressure has to be enormous."
Parisi said the percentage of victims actually paying ransoms has "gone up steadily in the last two years." It was about 40% of companies hit by ransomware in 2018, rising to 45% in 2019 and now hovering around 60% in 2020.
Avoiding or mitigating a ransomware attack
Training staff in good cyber hygiene is an important way to avoid being the victim of an attack, said security experts.
"The way these folks get in is almost always phishing. It's the stupidest attack in the world. We've all known about it for decades," said Keogh.
If a utility does fall victim to an attack, a speedy and affordable recovery usually involves extensive backups of data and operating systems, according to those who help companies resume operations after ransomware.
"The hope is that if the worst does happen and a utility ... gets ransomed, they have protections in place to recover without having to pay the bad guys," said Tony Turner, vice president of security solutions at Fortress Information Security.
Those "protections" are essentially system and data backups, said Turner. They are vital because there is no guarantee that hackers will — or even can — unlock a company's data. And if they do, there's nothing that says they wont simply re-encrypt it and issue another ransom demand.
"The risk to the public of not having power or water, and the impact it can have if it happens for a sustained amount of time, means utilities should take [ransomware] more seriously — and a lot of times will be forced to pay."
Ron Hayman
Chief Cloud Officer and Chief Operating Officer, Avant
"From a best practice standpoint, utilities should be pulling ransomware into business continuity and recovery plans," he said. Much like natural disasters, including storms, flooding and wildfires, "a ransomware event is no less and perhaps even more impactful for operations."
Utilities "should be doing backups for everything required for operations," said Turner.
That said, Turner acknowledges that extensive backups and the ability to restore systems "is a more mature capability that most utilities are not yet planning for. They are more focused on natural disaster-type threats, and not as focused on the cyber threat as they could be."
Call in the FBI
Ron Hayman, chief cloud officer and chief operating officer at Avant, a communications technology company, says his firm has seen "significant spikes in ransomware," and often victims don't have the needed backups.
"They're typically going to have to pay the ransom," Hayman said. "With utilities, the risk is obviously significantly higher. The risk to the public of not having power or water, and the impact it can have if it happens for a sustained amount of time, means utilities should take it more seriously — and a lot of times will be forced to pay."
"Typically that [payment] is passed on to the customer, in terms of increased costs," said Hayman.
In the event of a ransomware attack, the first line of action is to reach out to the local Federal Bureau of Investigation (FBI) office, said Turner. "Ideally, a utility already has the local FBI office on speed dial. The FBI has a lot of tools and capabilities at their disposal," and can sometimes quickly decrypt a company's systems.
Working with the FBI or employing other decryption tools can unlock files and data, but "maybe paying the ransom is the last-ditch effort. Before paying, there should be some transition planning in place. ... It's likely the company pays, gets access to files back, and then gets ransomed again, if they got caught once and didn't do anything to keep it from happening again," said Turner.
If a utility determines to pay the ransom in return for the data, they often utilize an insurance company or other specialized third party to pay. Most ransomware operators take cryptocurrency, said Barak.
"Once they've decided it is a viable option, the question becomes how to negotiate with the attacker," said Barak. In more complex attacks, the hackers have set up a kind of "help desk" that allows for communication and "most are very open to negotiation."
"They want a good payday, but they're willing to talk about what that payday is," said Barak. In some instances, companies can negotiate to return access to only critical systems in return for a smaller ransom.
Barak also cautioned that paying the ransom is no guarantee the data will be returned. And there are also "moral aspects" to the decision, he said, of giving money to criminal enterprises whose activities may stretch beyond hacking.
"At the end of the day, it's very difficult to make those decisions," he said.
Correction: A previous version of this story misidentified the National Association of Clean Air Agencies.