By Martin Kidston
Just before the weekend arrived, a power utility in Vermont found that hackers had penetrated a computer by placing malware on the device – a discovery that sounded the alarm at utilities across the country.
While it remains unknown how widespread the attack was or if Russia was behind it, authorities believe the hackers were looking to identify and access vulnerabilities in the nation’s electrical grid by accessing small, rural utilities.
For NorthWestern Energy, that evolving cyber threat is both real and costly, forcing the utility to comply with changing federal regulations as the nation looks to harden its defenses against bad state actors.
“It (the malware) was discovered because the industry had been made aware the code was out there,” said Claudia Rapkoch with NorthWestern Energy. “That happens all the time. We’re made stronger by our abilities to share information amongst ourselves, so we’re aware of the potential risks.”
Burlington Electric found out about the attempted penetration when the U.S. Department of Homeland Security notified the utility about a hacking campaign called Grizzly Steppe.
Rapkoch said NorthWestern has taken steps since the malware was found on the Burlington Electric computer, though she declined to detail the latest threat in an effort to keep security measures confidential.
Still, she said, both physical and cyber security remains a high priority for the utility. In the past and for security reasons, NorthWestern has been required to move its major transmission lines further apart. Now, it’s on the lookout for infected emails that could potentially cripple the power grid.
“Threats come from all over the place,” said Rapkoch. “We have to be prepared for any potential threat, and there are many. We manage the risks associated with those threats.”
Rapkoch said utilities are subject to a number of critical infrastructure standards that deal with both physical and cyber security. They fall under the Federal Power Act and the Federal Energy Regulatory Commission.
The North American Reliability Corporation serves as the regulatory arm that assures security of the nation’s bulk power system. Penalties for violating the standards can exceed $1 million a day, Rapkoch said.
“We have to comply with them, and there are penalties for violation,” she said. “They continue to evolve every day, practically, with input from both utilities and the government. There’s a cooperative effort with the utilities and the government to share information back and forth to have as much defense as possible, without going into any detail.”
While physical security became a concern following 9/11, including the security of dams and other critical infrastructure, a cyber attack can prove just as costly. In the Vermont case, authorities believe the hackers were attempting to shut down the power grid in the middle of winter.
According to the Washington Post, the loss of power could have “disastrous implications” for the nation’s medical and emergency services, along with its economic sector. The report suggests that other utilities may have been targeted in Grizzly Steppe, though that hasn’t been confirmed and Rapkoch declined to discuss any details.
“As more reliance and access is given to the overall Internet of things, hacking, regardless of who the potential actors are, is a threat to anything, utilities being one of many,” Rapkoch said. “How you manage the risk associated with that depends a little on the industry and the risk involved. It’s something we devote a lot of resources to.”
Rapkoch said employees are warned to avoid fishing scams that tempt them to open infected emails, and the utility continues to harden its defenses in accordance with regulatory standards.
Doing so comes with costs, though Rapkoch said that’s part of doing business in the cyber age.
“We’re as protected as we possibly can be,” she said. “It’s something we talk about as a company nearly every day. (Hackers) are trying to find the weak spot, and sometimes it’s the person. It’s part of our daily focus.”
Contact reporter Martin Kidston at firstname.lastname@example.org