According to media reports, ransomware attacks against the manufacturing industry have more than tripled compared with last year. This dramatic rise in cyberattacks poses serious concerns about the vulnerability of critical energy infrastructure serving the nation’s electric grid and the government has responded with measures designed to thwart any such efforts.
In the manufacturing sector, a ransomware attack typically involves blocking access to a victim’s computer files. Once the victim pays the specified ransom, access to the files is restored. As more and more manufacturing companies seek to reduce their energy costs and carbon footprints, they are deploying on-site energy equipment that is similar to that used in by electric utility companies. There is increasing concern that these attacks are providing a training ground for coordinated attacks on energy infrastructure in order to disrupt operation of the nation’s bulk power system.
While ransomware attacks have traditionally focused on companies’ information technology (IT) networks, information security experts are now seeing more and more instances of malware spreading to the operational technology (OT) technologies that control key mechanical equipment including winches, derricks cranes, and conveyor systems and robotics used in assembly line manufacturing. Moreover, because manufacturing companies’ systems typically have weaker information security defense systems, and limited, if any, government oversight, they are both attractive and ripe for cyber-attackers, especially those looking to perfect their skills.
Concerns about a potential attack on energy companies are not far-flung. In the last year, cyber-attacks have launched attacks against a large manufacturer’s steel and pipe divisions, as well as oil, gas, aluminum and semiconductor companies. While the majority of these cyberattacks were once carried out by uncoordinated and individual actors, evidence has now revealed the involvement of nation-state actors, such as North Korea and Russia.
There is also growing recognition that cyberattacks have the potential to be even more malicious, disrupting critical energy infrastructure that is becoming more and more digitized. This concern is particularly acute in light of consumers’ increased interconnectedness with the energy gird, and the development of the Internet of Things. These connections, often unmanaged and unencrypted, create a plethora of targets for cyber-attacks. For example, sources estimate that by the end of 2018, almost two million residential solar PV systems had been installed, more than 11,000 homes had residential energy storage units, nearly 900,000 electric vehicle chargers were in use, and more than 20 million homes used smart thermostats. Compounding security concerns, the software offered to run these programs is intended to be simple and user-friendly to increase customer participation, creating numerous new opportunities for savvy hackers to gain access and control, of systems to ultimately compromise them.
The federal government has responded to this elevated threat of ransomware attacks by creating a new information-sharing program, focusing on increased protections to the nation’s Bulk-Power Systems (“BPS”), and creating further restrictions on ransomware payments.
On December 3, 2020, the Department of Energy’s (“DOE”) Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”) announced a new partnership with the North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center (E-ISAC). The goal of this pilot program is to improve the energy sector’s information sharing capabilities in an effort to coordinate efforts to identify security threats to the nation’s bulk power system critical infrastructure. According to CESER, the program will “close the information gap to rapidly detect and mitigate even the most dangerous ICS (internal control systems) threats.”
Known as the Cybersecurity Risk Information Sharing Program, or “CRISP,” the program builds on the two agencies, DOE’s and NERC’s, skill sets in intelligence and advanced threat detection technologies and enables collection and analysis of information on credible cyberattacks to the energy sector. One of the most critical elements of the pilot is that, in light of the energy industry’s rapidly changing technology and the convergence of information and operating systems, CRISP’s analysis will encompass both IT and OT data in identifying cyber risks.
On May 1, 2020, President Trump signed Executive Order (EO) 13920, “Securing the United States Bulk-Power System,” which authorizes DOE, in conjunction with Federal partners and the energy industry, to secure the nation’s BPS in response to threats from foreign adversaries. The Executive Order seeks to increase protections for the nation’s BPS by restricting procurements of BPS components from those counties determined to pose an unacceptable risk to national security. The Executive Order:
In October of 2020, in an effort to deter ransomware attacks, the U.S. Department of the Treasury, Office of Foreign Assets Control, issued an advisory on ransomware response. Noting that the demand for ransomware payments has increased during the COVID-19 pandemic as attackers target online systems that U.S. persons rely on to continue conducting business, the agency discouraged companies who are victims to ransomware attacks from making payments. Moreover, the agency guidance suggests that paying ransom may constitute aiding and abetting a sanctioned entity. According to the advisory, by meeting attackers demands, “may enable criminals and adversaries to profit and advance their illicit aims…fund activities adverse to the national security and foreign policy objectives of the United States…[and] may also embolden cyber actors to engage in future attacks.” Instead, the advisory encourages any company that falls victim to a ransomware attack to contact federal authorities.
It is clear that both the private sector and the government recognize the increase threat posed by cyberattacks, both in terms of frequency and severity. While the growing ransomware attacks to date have focused primarily on manufacturing companies, and have so far only nibbled at the edges of the nations’ energy sector, cybersecurity risks to critical energy infrastructure should no longer be considered speculative.