Why Malware is a Huge Risk for Utilities

Malware is a huge risk to utility companies because it is cheap and easy to deploy, highly effective, and utilities are top targets for state-sponsored hackers.  Malware actually shut down parts of the Ukraine grid two years in a row.  While this dramatic scenario is unlikely in the US, malicious software could wreak havoc in other ways.

How Malware Puts Utilities at Risk

Malware is a broad category of malicious software that continuously evolves.  According to this article, there are 5 types of malware attacks that utilities need to be paying attention to:

1. Backdoors – These are small entry points into a company’s network that are typically used to lay the groundwork for potential attacks in the future.  Once entry has been obtained, the system can be modified (often via the installation of a rootkit) so that the hacker has administrative rights to make system changes.  Sometimes the malware can be used to compromise hardware, in which case the only reliable remedy is to replace it.
2. Data theft – This category of attack involves the stealing of data for reasons such as intelligence gathering or obtaining customer payment info.  Sudden changes in admin rights or large data uploads are often signs of trouble.
3. Encryption – This is a method used to block access to stored files or even hardware, for the purposes of extortion.  This is like ransomware, in which access is blocked until the victim pays a bounty.  A key mitigation tactic here is making frequent backups of all data, and then placing the backed-up data under virtual lock and key to prevent unauthorized access.
4. Data manipulation – Involves the deployment of “wiper” software to erase data and disrupt operations.  This has been a relatively common type of attack within the Middle East oil industry for several years.  Mitigation tactics are the same as for ransomware.
5. Financial fraud – The most common type of attack in this category is phishing, in which a recipient is sent a personalized email that seems to fall under normal business activities, but that contains an attachment or link that downloads malware onto his computer.  Employee training is the key mitigation tactic.

As you can see, malware is a risk to utilities – electric utilities, water utilities, natural gas utilities, you name it – and must be accounted for in terms of prevention (anti-malware software, network monitoring, 2-factor authentication, dedicated workstations for highly-classified operations, etc.) as well as post-incident recovery.