In 2019, cyberwar arrived in Matt Stormoen’s small city of Wisconsin Rapids, Wis.
That year, criminal hackers conducted a wave of assaults against more than a dozen small under-defended utilities across 18 states. The attackers, traced to Hong Kong, had chosen their targets because of their proximity to critical U.S. infrastructure, including major federal dams and transmission lines, navigational locks crucial to steel mill imports, and grid-scale energy-distribution hubs.
“They tried to get through our firewall,” says Stormoen, who heads up IT at Wisconsin Rapids’ Water Works and Lighting Commission, which provides power to some 15,000 customers. Although his network was not breached, Stormoen says, “we’ve had to continually stay on top of threats.”
The FBI and the Department of Homeland Security have long warned that the U.S. energy sector is a target for hackers. In April, the successful ransomware attack on Colonial Pipeline proved this, shutting down a major fuel line and forcing the company to cough up a $4.4 million payout.
While large U.S. utilities have deep pockets to beef up cybersecurity—to protect their networks and the thousands of endpoints that connect to it—smaller utilities and energy providers often lack the budgets to do the same.
“Much of the infrastructure running technology at smaller utilities is too old for modern cyber tools, doubling the concern,” says Tyler Costello, director of strategic accounts at Tanium who works with several critical infrastructure facilities and one of the nation’s largest electric and natural gas providers. “Smaller utilities have to contend with outdated systems, budget constraints, and limited resources.”
Small budgets, little expertise
Like its peers across the industry, the Wisconsin Rapids utility is digitizing its operation, using technologies like smart metering, online payment portals, and cloud computing platforms. But all this internet-connectedness comes with a cost. It draws the attention of cybercriminals.
Small utilities, those serving a few thousand customers or less, are particularly vulnerable. They feel the need to modernize, in part to fend off takeover efforts by larger utilities, but they often are reluctant to (or simply cannot) raise rates or local taxes to pay for the upgrades. As a result, these utilities often can’t afford an on-site IT professional.
“So, the IT guy might have to do customer service. He might have to do marketing as well,” says Carter Manucy, director of cybersecurity at the Florida Municipal Power Agency (FMPA), a coalition of 32 utilities across the state, a member of the American Public Power Association.
Smaller utilities have to contend with outdated systems, budget constraints, and limited resources.
Municipal-owned utilities and rural cooperatives also face another challenge that large utilities do not. They operate beyond the oversight and protection of the North American Electric Reliability Corp (NAERC). This industry body monitors bulk power system owners, operators, and users, and can levy fines for lax compliance. That means the big boys have a financial stake in playing by the rules, and they are given useful guidance in how to go about doing that.
There’s a serious perception issue. Because small utilities don’t have as much oversight “criminal hackers may think they are an easier prey,” says Nicholas Abi-Samra, an adjunct professor at the University of California, San Diego, who teaches classes on power systems and provides consulting services to the electric utility industry. “But they face the same kinds of threats.”
Back to basics
Bolstering a utility’s cybersecurity—which could include installing new servers and security software, training workers, and setting up a security operations center—could run into millions of dollars. Raising that money is a stretch for small rural utilities, which often serve low-income families who can’t afford the higher energy bills that would be needed to pay for the investment.
Manucy’s FMPA does offer its members cybersecurity training at low or no cost. But there is a growing realization that that’s not enough. He says federal aid is needed to bring many of these operations up to speed. That would include instituting multiple lines of defense, starting with basic identity and access management to shared applications and networks.
This could include using two-factor authentication and instituting a zero-trust model of network access. In that model, any endpoint, device, or user (even previously known ones) is deemed untrustworthy until it is verified. It also requires granting least-privileged access based on who is requesting the access, the context of the request, and the risk of the access environment.
There are other ways utilities can start strengthening their cybersecurity, namely by turning to the basics of good IT and cybersecurity hygiene. Under the adage “you can’t manage what you can’t see,” the first step is finding and inventorying all endpoints—laptops, PCs, tablets, even virtual machines in the cloud—that are connected to your network. By regularly monitoring these endpoints, in real time all the time, you can detect potential vulnerabilities and active threats.
Smaller utilities must also invest in a software management platform that allows them to keep pace with the apps, devices, and software that have proliferated during the work-from-home era. A single platform can help any small or midsize utility detect, monitor, update, and secure enterprise applications from one console—at scale. Likewise, a platform can help manage and monitor all endpoints, helping locate and resolve security issues in real time.
Shoring up firewalls
After the FBI informed Wisconsin Rapids that attackers had probed its systems in January and March 2019, Stormoen led a thorough evaluation of the utility’s cyber defenses. This included fully reviewing their endpoint security posture and the company’s overall security policies. As a result, Stormoen upgraded the firewalls and installed new security software.
Small utilities [are] asking to ‘buy or rent’ a chief information officer who can provide guidance.
The utility also became a member of the Electricity Information Sharing and Analysis Center (E-ISAC) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Both of those bodies gather and disseminate information and warnings about cyberattacks. Today, Stormoen receives daily reports that help him identify threats and ensure that his defenses are secure.
Of course, not all small utilities have a full-time Matt Stormoen to keep an eye on the frontline. But many are trying a novel approach. Manucy of the FMPA has seen an uptick in small utilities asking to “buy or rent” a chief information officer who can provide guidance on their systems. This is partly driven by cybersecurity insurers that require in-house expertise before they issue a policy. Many of the nearly three dozen members of his utility coalition have asked him: “How can I get training? My insurance company is asking.”
For small utilities, the stakes couldn’t be higher or more outsized. The U.S. energy grid is an incredibly complex and interconnected system. The disruption of a single node can have a cascading effect. Just consider the 2003 Northeast blackout, which plunged 50 million people into darkness after a single monitoring tool in an Ohio energy control room malfunctioned.
But even if a cyberbreach is isolated within a small utility’s network and only affects the local population, its impact could be severe, says Stormoen. It could hinder police responses and fire services, as well as at-home critical care. “Just one could cause a lot of damage.”