Morning Consult: Worldwide Denial-of-Service Cyberattacks on Utilities Up Five-Fold This Summer, Data Shows

By Lisa Martine Jenkins

As the societal disruptions of 2020 continue to pile up, cyberattackers have taken advantage of the chaos, with certain types of attacks against utilities spiking five-fold in recent months, according to data provided to Morning Consult by the analytics firm NETSCOUT. Those who work in and with the utilities  themselves, however, have expressed little concern about this surge, reporting that the cyber threats have not impacted their security of service.

NETSCOUT, which maintains a Cyber Threat Horizon tracker in real time, recorded 1,780 “distributed denial-of-service” attacks against utilities worldwide between June 15 and Aug. 21, representing a 595 percent year-over-year increase. A DDoS attack uses multiple platforms in an attempt to flood a target’s system and render it unavailable, often through repeating a request or ping to such a degree that a target — in this case a utility — is overwhelmed.  

The marked increase in DDoS attacks on utilities worldwide, including both electric and gas systems, have come amid the coronavirus pandemic and other sources of upheaval, as measured by the attacks’ frequency, volume and speed. And DDoS is not the only type of cyberattack on the rise: The Federal Bureau of Investigation recently warned the U.S. energy sector of a new hacking threat from the Russian hacker group known as APT28, or Fancy Bear, that has used a wide range of approaches.

Roland Dobbins, principal engineer for NETSCOUT’s security division Arbor Networks, attributed cyberattacks writ large to a number of potential motivations, including ideological, geopolitical, extortive, destructive and even nihilistic ones.

“Some people just love to cause harm, and what better way to do so than being able to shut down power for thousands or tens of thousands,” Dobbins said in an email. 

While cyberattacks tend to increase annually by all measures simply as a function of the advancement of the technology and sophistication of the criminals, this year’s jump in attacks has been unprecedented. According to exclusive analysis provided to Morning Consult from Dobbins’ colleague Richard Hummel, who manages threat research for Arbor Networks, 2020 has so far seen double the attacks that 2019 did — roughly 3,100 through Aug. 21 compared with about 1,500 during the same period last year.

The attackers have also upped both the bandwidth size and the speed of their attempts. One entity in the Netherlands saw an attack of 88.4 gigabytes per second — in contrast with the 2019 maximum of 21.1 Gbps — while another in Italy faced an attack with a throughput of 11 million packets per second, up from the 2019 maximum of 5 Mpps. 

Brandon Robinson, a partner at Balch & Bingham LLP in Birmingham, Ala., who focuses largely on utilities, said the sector has always been a target of cyberattacks.

“Whether one’s motivation is to do financial, economic, national security or industry harm, critical infrastructure such as the electric grid can be a natural target for such cyberattackers,” he said.

And citing the North American Electric Reliability Corp.’s 2019 report, Robinson added that the industry has consistently done a good job of defending itself “and are continuing to be vigilant in doing so as threats emerge and evolve.

Meanwhile, Sharon Chand, a principal with Deloitte & Touche LLP’s cyber practice who focuses on critical infrastructure protection, said that a year-over-year increase in these attacks is very normal, though things have “certainly taken a steeper climb over the last several months.” She sees this as likely the result of a combination of factors contributing to a “heightened sense of disruption”: the global pandemic, economic uncertainty and even more time on the hands of the attackers.

Robinson also said an increase in attacks on the power sector could be impacted by more concrete changes to the grid itself, divorced from society’s climate of uncertainty. 

“The electric grid is also evolving,” he said, “as we see an evolution from larger, more centralized resources to more distributed resources, and virtualized, remote control of those resources, which call for and have led to adaptation in the way that connectivity between and control of grid resources is protected.”

However, the reaction from utilities has largely been detached. John Di Stasio, president of the Large Public Power Council, acknowledged that attacks “may have increased in 2020” but said that utilities are regularly planning for disruptions and even participating in drills to identify and mitigate risks. Edison Electric Institute, a leading trade group representing U.S. investor-owned electric companies, did not respond to a request for comment.

“Despite the increase, LPPC members were and continue to be well-prepared to deal with these threats,” Di Stasio said, in reference to the consumer-owned utilities that make up the trade association. “Cybersecurity risk will continue to evolve, requiring our defense capabilities to evolve accordingly.” 

Chand points out that, especially as the grid evolves to utilize diverse energy sources, including certain types of renewables, redundancies are built into its system to provide consistent power to consumers: If it is not a windy day, for instance, a utility that typically uses wind power can rely more on its nuclear or coal assets. Analogous redundancies protect the system from cyberattacks: “As one piece of the grid may experience a challenge, the grid is built in a way to accommodate that,” she said. 

However, industry-wide analysis indicates that by some measures, cyber threats are shifting faster than the industry can respond. An October 2019 survey from Siemens AG and the Ponemon Institute of utilities professionals worldwide found that operational technology, rather than informational technology, was particularly vulnerable to cyberattacks, and that 56 percent report at least one shutdown or operational data loss per year. Less than half (42 percent) rated their “cyber readiness,” or their capabilities as compared with anticipated attacks and known preparedness gaps, as high. And smaller organizations reported that they felt less confident in their cyber capabilities than their larger counterparts.

“Attackers become more motivated, attackers become more creative, they become more automated,” Chand said of the pattern of increased attacks. “And so, to a large extent, we expect to see an increase in the numbers of threats — denial-of-service attacks or others — facing all of our clients across the business every year. And I think we’re not going to see it go down anytime soon.”

Read the original article here.

LPPC CEOs Present at the Public Power Community Forum
LPPC at National Clear Energy Week
LPPC Chair and Austin Energy General Manager, Jackie Sargent, Discusses Carbon-Free Goals and More on Grid Talk
U.S. public power sector tackles emerging ESG challenges, inflation
Chair’s Post: Embracing Diversity, Equity and Inclusion to Secure our Energy Future
LPPC Submits Comments to FERC on Transmission Planning
LPPC Leads Cross-Industry Push for E-Mobility
LPPC Members Fly In to Advocate for Public Power Communities
A Preview of Energy Transition Hopes and Hurdles for 2022
API Taps New Chief Lobbyist
LPPC Signs Joint Letter on Sequestration and Direct Subsidy Bonds
Joint Public Finance Network Letter to Congress In Support of Legislation In Response to COVID-19
Letter to Congress Regarding Near-Term for Customers and Communities in Response to COVID-19
LPPC Federal Reserve Municipal Liquidity Facility Letter
Joint Trades Community Owned Utility Direct Pay Letter
Letter to Treasury of Private Use
Letter to Treasury on Priority Guidance
GridWise Alliance and Grid Infrastructure Advisory Council Letter
Tulsa World: Utility Workers—A New, Unsung Hero Emerges During Times of Crisis
S&P Global: Municipal Utilities Call For Return Of Financial Tools To Get Through Pandemic
Morning Consult: Hidden Heroes Keeping The Lights On
Utility Dive: The (Energy) Efficient Road to Small Business Recovery
S&P Global: Public Power Utilities Say They Have 'Weathered' COVID-19 Storm; S&P Adds, 'So Far'
The Bond Buyer: Power Utilities Still Plan Capital Improvements
Morning Consult: Utilities Coalition Letter Rallies Congress to Include Support for Public Power in Coronavirus Stimulus
Morning Consult: Worldwide Denial-of-Service Cyberattacks on Utilities Up Five-Fold This Summer, Data Shows
Utility Dive: Public Power Leaders See Lasting Effects from 2020 Disruptions with New Approaches to Resilience, Equity
Public Utilities Fortnightly: Saluting the Workforce at Large Public Power Council; Conversation with LPPC president John Di Stasio
E&E News: Quest for 'Common Ground' Continues as Clock Ticks
POLITICO Morning Energy: Defending from Future Cyber Attacks
Agri-Pulse: Biden's Clean Power Target Poses Stiff Challenge for Some Rural Power Providers
PV Magazine: Sunrise Brief - Leaders Urge Support for Clean Energy Tax Breaks that Benefit Public Power
POLITICO: How Much Companies That Paid No Corporate Income Tax Spent on Lobbying
Utility Dive: Utilities to DOE - More Information, Not New Regulations, Needed to Secure the Grid
The Hill: Want a Clean Energy Future? Look to the Tax Code.
2022 Public Power Community Conference: Navigating an Industry in Transition
President’s Post: Fulfilling Our Mission to Benefit Public Power and America
Keeping America Powered: Meet Utility Workers Essential To Their Communities (Part 3)
Keeping America Powered: Meet Utility Workers Essential To Their Communities (Part 2)
Keeping America Powered: Meet Utility Workers Essential To Their Communities (Part 1)
Meet Our Essential Workers: Performing a Critical Role in Our Communities
E&E News: FERC unveils transmission plan seen as key for renewables
Canary Media: The US needs to build a bigger, stronger grid. FERC has a plan for that.
Austin Energy and LIPA Leaders Take the Reins at LPPC
LPPC Urges Congress to Consider Public Financing Tools in any COVID-19 Economic Stimulus Bill
LPPC Urges Congress to Support Public Power Communities
Large Public Power Council Chair and Vice-Chair Offer Insight on Response to the Coronavirus, Plans for Re-entry
LPPC Issues Statement on Clean Energy Innovation and Deployment Act of 2020
LPPC Calls on Congress to Prioritize Public Sector Infrastructure Investment
LPPC Issues Statement Regarding EPA’s Proposed Rulemaking on Mercury and Air Toxics Standards (MATS)
Large Public Power Council Welcomes Austin Energy General Manager Jackie Sargent as New Chair, Long Island Power Authority CEO Tom Falcone Elected Vice Chair
LPPC Issues Joint Statement Regarding FERC’s Proposed Rule on Transmission Planning