The number of cybersecurity-related incidents reported to the North American electrical industry’s information-sharing centre last year more than doubled in many categories, according to the annual report of the North American Energy Reliability Corporation (NERC).
Released Tuesday, the 2021 State of Reliability report said that once again NERC — which enforces mandatory reliability standards for bulk power providers in Canada and the U.S. — received no reports of cybersecurity incidents that caused a loss of power load.
However, it also notes that the number of reports of incidents sent by utilities to the Electricity Information Sharing and Analysis Center (E-ISAC) was up 96 per cent over 2019. A cybersecurity incident is defined as an event that may negatively impact an organization and was noteworthy enough to report to the E-ISAC even if there were no outages or reliability impacts
That figure included:
— a 156 per cent increase in vulnerability-related incidents (328 incidents, up from 128 in 2020);
–a 111 per cent increase in suspicious activities (956 incidents, up from 453);
–170 per cent increase in ransomware-related incidents (73 incidents, up from 27).
“Furthermore,” the report added, “the unprecedented COVID-19 pandemic created an increased remote cybersecurity attack surface for industry due to increased telework.” This “required greater sharing and collaboration by the E-ISAC with all levels of the electricity industry, United States and Canadian governments, and partners than ever before.”
The typical energy supplier experiences thousands or millions of events every day, the report also noted, “and very few of these events are incidents.”
In a briefing to reporters about the report John Moura, NERC’s director of reliability, said the revelation last year of supply chain attacks through SolarWinds’ Orion network monitoring platform, where the application’s update mechanism was compromised, was a wake-up call to the industry.
“The persistence [by attackers] that we’ve seen and the level of sophistication more recently – especially SolarWinds at the end of last year – highlighted the capability of the threat actors” he said. “It’s heightened the sense of security posture that’s needed, and I think specifically that attack and the threat of future supply chain compromises given all of the variables around the globe has created more desire to increase the security posture across the industry.”
In fact, the report notes that “with the successful SolarWinds compromise, a new single-attack vector that would effectively mimic a co-ordinated attack raises significant concerns about protection of any and all externally routable devices regardless of their individual scale or impact.” As a result NERC’s cyber standard for rating high, medium, or low impact assets should be reviewed, the report said.
The report didn’t mention any utilities that were victimized by the SolarWinds compromise. However, a threat intelligence firm called TrueSec said one U.S. municipal utility showed signs of a backdoor related to the compromise on its system.
Cyber and physical security are among the highest priorities of North American bulk power providers, he said. “We’re seeing over the last year – and the trend over many years — is the types of [cyber] threats that we’re seeing, the persistence of the threats, number of attack vectors, the more distributed nature of the [electrical] system that increase the attack vectors, all of those have increased. Unlike other risks these are more difficult to manage because we’re talking about threat actors.”
Reliability risk priorities
Separately NERC released its 2021 Reliability Risk Priorities Report, which looks at future risks to the North American electric grid. NERC members surveyed rated cybersecurity vulnerabilities as their second biggest threat, said the report. First was the changing resource mix, which covers the continually changing mix of power supplies to generators, like natural gas, solar, wind and other power sources.
Cyber threats are “at the top” of the agenda of energy meetings with the energy industry, government and regulators, Moura said.
The report found that in 2020 cybersecurity attacks and vulnerabilities remained a significant concern, saying, “The threat landscape continued to expand as an increase in cyber incidents that involved ransomware and supply chain compromises were conducted by capable nation-state and criminal adversaries. NERC released two Level 2 NERC alerts related to specific cyber and supply chain-related threats from nation-state adversaries to help industry understand the extent of conditions. The information gleaned from the alerts demonstrated the complexity of the threat and suggested the need for the reliability and security ecosystem, including government partners in the United States and Canada, to rethink how the industry supply chain is secured”.
The report also notes that the E-ISAC has started new pilot projects designed to enhance visibility into critical operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) and energy management systems.
Industry and government “should significantly increase the speed and detail of cyber and physical security threat information sharing in order to counter the increasingly complex and targeted attacks by capable nation-state adversaries and criminals on critical infrastructure,” the report recommends. “This should be complemented by a review of cybersecurity standards, supply chain procurement, and risk assessment.”
The North American power grid is divided into six roughly north-south regional entities that share power networks for enhanced resilience. British Columbia and Alberta, for example, are part of a grid that includes 11 western states.