Electric utilities reported eight attempts to compromise their cyber systems to NERC last year, according to the ERO’s annual cybersecurity report.
And while none of the incidents affected reliability, the evidence of attackers’ ongoing efforts to destabilize the grid “highlights the continued need for vigilance,” NERC said.
NERC published the report last week in accordance with FERC’s Order 848 of 2018, in which the commission directed the development of a reliability standard to “augment mandatory reporting of cybersecurity incidents.” The initiative resulted in CIP-008-6 (Cybersecurity — incident reporting and response planning), which FERC approved the following year. (See FERC OKs Cyber Reporting Rule.)
The standard expanded mandatory reporting of cybersecurity incidents to a wider range of intrusion attempts, along with specifying the minimum information that must be reported. Responsible entities must send their reports to the Electricity Information Sharing and Analysis Center (E-ISAC) and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team by the end of the next calendar day, or within one hour depending on the seriousness of the incident.
FERC’s order also directed NERC to submit an annual, anonymized public summary of the cyber incident reports received each year based on the reports received through the E-ISAC. NERC delivered its first annual cyber report last March after CIP-008-6 became mandatory on Jan. 1, 2021.
WECC, MRO, Texas RE Report Incidents
According to last week’s report, entities sent eight CIP-008-6 cyber incident reports to the E-ISAC in 2022, compared to two the previous year. Four of the reports were submitted by entities in WECC, and two each from the Midwest Reliability Organization and Texas Reliability Entity.
NERC withheld some incident data from the report, such as the utilities involved in the incidents or details about when and where they occurred, in order to prevent potential threat actors from gaining information on how to target critical infrastructure. However, the ERO emphasized that “none of the reported [incidents] successfully compromised a BES [bulk electric system] cyber system or affected reliable operations.”
Four of the reported attacks involved malware, a category that includes malicious code, Trojans (a type of malware disguised as legitimate code or software), and ransomware. Two of the malware incidents involved the exploitation of “known vulnerabilities to attack EACMS [electronic access control or monitoring systems] assets” — in one case a vulnerability in Apache’s Log4j product and in the other a weakness in software from information security company Fortinet.
Another malware incident saw the attacker attempt to use a Trojan to compromise an interactive remote access asset. For the last one, NERC said that it “only affected a few systems on the entity’s corporate IT [information technology] network” and that the Supervisory Control and Data Acquisition (SCADA) network did not appear to have been affected.
Two further incidents involved attacks on third parties — both in the WECC region — that provided support services for BES cyber systems. One third party provided backup SCADA monitoring services for two wind power facilities. The attack caused outages to its email and phone systems, and loss of access to SCADA. The other incident was a distributed denial of service attack against the internet service provider of a vendor that provided third-party forecasts for a balancing authority.
NERC also reported an attempt to remotely open a physical gate at a facility, which failed, and a final incident “of unknown origin” that led to loss of visibility in an entity’s EACMS and physical access control systems. The last incident is still under investigation.
Further Vigilance Needed
The ERO’s analysis indicated that last year’s cyber incidents “seem to have targeted specific systems related to cybersecurity defenses and BES monitoring.” Though none of the attacks affected reliability functions or successfully compromised BES cyber systems, two did succeed in compromising cyber assets associated with BES cyber systems — the one of unknown origin and one in which the attacker “was able to change several firewall rules and create administrator accounts on the affected devices before being detected.”
The attacks on vendors “impacted entities to various degrees,” but had no operational impacts on the grid. Likewise, the attack on an entity’s corporate IT system had no impact on cyber systems, cyber assets or operations. While another attacker did succeed in sending a signal to open the gate, the attempt was ultimately unsuccessful because the gate did not open.
Finally, NERC said the attempted exploit of the Log4j vulnerability seemed to be trying to find vulnerable targets rather than aiming at the responsible entity itself. There was no penetration of the entity’s electronic security perimeter and no apparent further traffic occurred other than the system sending the attacker an “awake” message.
Though NERC said it was “encouraged that there were no operational impacts from the reported incidents … and that entities reported these attempts to the E-ISAC,” it found more work is needed to improve vigilance against cyber threats. A new standards development effort is underway to enhance the reporting requirements in the form of Project 2022-05 (Modifications to CIP-008 reporting threshold). The ERO said this project is intended to “provide a minimum expectation for reporting attempts to compromise.”