Last April, US President Joe Biden addressed a joint session of Congress. During the speech, he presented his economic stimulus initiative The American Jobs Plan, a proposal to invest close to 2 trillion dollars in infrastructure over the next 8 years. One of the highlights of this plan was the renewal of the electricity grid. As Biden observed, “Our grids are vulnerable to storms, cyberattacks and catastrophic outages“.

Days earlier, the White House had already announced that a specific plan will be developed to protect the electric grids. This plan will include measures such as a comprehensive review of the nationwide grid by the Department of Energy, but also other incentives to improve cybersecurity for electricity companies.  The risks posed by sophisticated hacking groups linked to foreign powers such as Russia and China were also flagged up when the plan was announced.

Worrying precedents_

The White House’s concern over such threats is justified: there are several precedents of cyberattacks on electric grids or power plants that have even caused major outages in other countries, as we have covered in our blog. The most prominent incidents are as follows:

  • Berserk Bear: This was a Watering Hole cyberattack on German electricity companies by a hacking group with links to the Russian Federation. Their aim was not only to obtain information from their IT networks, but also to try to take control of the OT Industrial Control systems.
  • Crashoverride (also known as Industroyer): used features of the Stuxnet, Dragonfly and BlackEnergy2 malware and shutdown power substations in Ukraine. Experts saw this action as part of Ukraine’s ongoing geopolitical conflict with pro-Russian separatists in the Donbas region.
  • Triton (also known as Trisis or Hatman): a supply chain cyberattack, as it affected the legitimate industrial control software Triconex, which is used by many electricity plants. A power plant in Saudi Arabia suffered from the hit.
  • Blackenergy: this is the first reported attack to have damaged an electric grid beyond a single power plant and occurred in Ukraine in 2015. It was an APT that used spear phishing as the attack vector and executed a Kill-Disk module on the energy distribution companies’ SCADA system which deleted files from their systems.
  • Stuxnet: this is considered the first major cyberattack categorized as cyberwarfare and is one of the most famous attacks against power plants. A worm embedded in a flash drive introduced by a Dutch intelligence insider (with support from the CIA and the Israeli Mossad) destroyed the IT system controlling the centrifuges at a nuclear power plant in Iran.

Essential Threat Hunting_

The purpose of the incentives set out in the Biden Administration’s plan for electricity companies is to acquire equipment and employ professionals to monitor the IT networks at plants proactively.  Proactivity is a key factor in this sector, which includes so many critical infrastructures and is therefore vital to ensure the security of citizens and the country.

This is why Threat Hunting services are essential, as Carlos Manchado, CISO of Naturgy, points out: “It is absolutely necessary. It’s good to have a SOC and carry out monitoring, but there comes a time when you have to go further, because by the time a threat is usually detected the company is already compromised, which means incident response is more difficult and costly.

Cytomic Orion provides this proactive response to SOCs by accelerating incident response and malwareless threat hunting. But in addition to that, utilities also need comprehensive and advanced Endpoint protection. Cytomic EDPR offers these capabilities. Both solutions are combined under Cytomic Covalent.  As a result, energy distribution companies and electric grids such as those in the US will be much better prepared to deal with current and future threats.