Dive Brief:
- Utilities have seen a rise in phishing attempts and scams related to the Coronavirus, officials from the Edison Electric Institute (EEI) told Utility Dive, adding that investor-owned utilities represented by the group are alert and prepared, with companies collaborating to mitigate the threat.
- As more employees work remotely to limit the virus' spread, companies should enhance technology monitoring and ensure that virtual private networks and other access systems are fully patched, the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) said in a March 6 advisory.
- Experts say the utility sector, like many industries, faces a shortage of cybersecurity manpower and any loss of productivity resulting from sick employees could weaken defenses. At the same time, hackers may seek to exploit widespread interest in the virus to infiltrate networks and gain access to critical infrastructure.
Dive Insight:
On its face, a link between the Coronavirus and electric grid security may not be obvious. But experts say the virus — and the related news frenzy — can pose a threat to utilities.
At the same time, while COVID-19 may be a new virus, the scenario faced by utilities is not.
"There have been a few experiences over [the] last couple of decades that have really crystallized for this industry the value of continuity planning," EEI Vice President of Security and Preparedness Scott Aaronson told Utility Dive. "Y2K was a really interesting opportunity as we became more digitized, and realized the potential exposure."
Fears over how digital systems would fare as the new century arrived were then followed by the outbreak of severe acute respiratory syndrome (SARS) in 2003 and the H1N1 flu pandemic in 2009.
"There were efforts back then, examining how to deal with pandemics," Richard Mroz, senior advisor of state and government relations for Protect Our Power, told Utility Dive. "Utilities have those plans in place. ... In the last few days they are pulling them out, and working internally to update them."
Rise in employee absenteeism could weaken defenses
"This is a sector that relies very heavily on its people," Aaronson said. "Pandemics and global health emergencies impact our people ... but we are well-staffed in general. And the cyber workforce is something we are committed to building."
Globally, more than 3,500 people have died from the virus according to CNN, and more than 105,000 have been infected. In the United States there have been more than 500 cases identified.
Experts say bad actors can use subjects like the coronavirus to infiltrate systems and cover their tracks.
"Bad actors are already using COVID-19 and people's desire for information as a phishing and malware distribution opportunity," Jamil Jaffer, vice president for strategy and partnerships at IronNet Cybersecurity, told Utility Dive. The combination "creates softer targets across multiple sectors."
Jaffer sees two ways the virus's spread could impact cybersecurity in the utility sector and other industries. The first is through a basic lack of manpower: If enough security operations center (SOC) people get sick and are unable to work remotely, security could be weakened.
"There are already a limited number of humans who are top-notch SOC operators and if more people are out, this increases the need for companies to work together to leverage joint resources and collectively defend against common threats," Jaffer said.
Additionally, authorities are seeing an increase in virus-related phishing scams and malware attacks. Jaffer said people are forwarding more information in an attempt to be helpful, thus creating new attack vectors.
"Potentially some bad actor could use this intersecting set of events, to do something" Mroz said.
Utilities "have to be on heightened alert," said Mroz. "Is someone going to take advantage of this situation, where the workforce might be vulnerable? These are issues that any business, any utility company, needs to look at as an enterprise-wide threat. They need to consider how threats could potentially intersect and impact operations."
Utilities say phishing attempts are on the rise
An informal poll of EEI members and their communications experts confirmed utilities are "anecdotally seeing an uptick in phishing, in cyber probing, and also in scams. ... We see this around storms also. There is always an uptick in adversaries taking advantage of a situation. Our companies are used to this," Aaronson said.
CISA's warning last week recommended companies assess their supply chain for potential impacts from disruption of transport logistics, communicate with key customers, test remote access solutions and "ensure continuity of operations plans or business continuity plans are up to date."
"Malicious cyber actors could take advantage of public concern surrounding COVID-19 by conducting phishing attacks and disinformation campaigns," the agency warned.
But utility experts say the electric sector is prepared.
"It's a time to look at hygiene, both of the personal and security kind," Aaronson said. "This is one of many scenarios our companies have planned for, for a long time. ... We are hoping this does not evolve into a global health emergency worse than it is — but we are preparing as though it will."
