Internet Attack Prompts Warning to Utilities

Back to All News

Internet Attack Prompts Warning to Utilities

October 26, 2016

On Friday, Oct. 21,  a Distributed Denial of service (DDos) attack against the Dyn Managed Domain Name System (DNS) infrastructure occurred, which shut down some popular web-based media systems.  Such attacks are escalating, according to numerous sources, and this was the highest throughput DDoS attack seen to date.  Due to the highly interconnected state of the Internet of Things (IoT), and the insecurity built into systems as mundane as consumer products and toys, experts warn there is a risk that this type of attack can now be leveraged against critical industrial control systems, such as those used in the electric power industry.

APPA Executive Director Sue Kelly emailed utilities Oct. 25 to urge review of a white paper recently posted by the Electricity Information and Analysis Center (E-ISAC).  This white paper discusses the recent DDos attacks on computer systems, and includes mitigation recommendations. You should read this report and take actions where necessary. The document can be downloaded here: 

https://www.eisac.com/api/documents/5365/publicdownload

The "bottom line" of the paper is that the E-ISAC strongly recommends utilities examine their Internet-facing systems to ensure that: 

  • Internet-facing devices are inventoried and examined for vulnerabilities; 
  • Internet-facing devices have sufficient business justification for being publicly exposed; 
  • Utility-owned and managed systems that are exposed to the Internet have adequate protections in place to prevent the exploit described in the paper.

If you do not have the technical expertise within your utility to take these steps, you should seek assistance (one way of doing so is described below). 

Set out below are the key points in the white paper, to convey the risks and recommendations without getting into the technical details.

APPA recommends incorporating the E-ISAC's recommendations into your cyber security programs and processes, due to the unprecedented scale of these recent attacks.  In addition to the "top level" recommendations noted above, the E-ISAC in its white paper is recommending the following: 

  1. Avoid permitting direct, unprotected, public Internet access to your Industrial Control System (ICS) devices.
  2. Perform a self-evaluation of your organization's Internet address space using a tool, such as Shodan, or something similar.
  3. Perform a risk assessment of the discovered Internet connected devices to determine if potential risks are acceptable. 
  4. Where possible, enforce changes of default login credentials, user names, and default manufacturer passwords, especially on systems that are connected to the Internet, as these are widely known [and thus exploitable]. 
  5. Where possible, prohibit the use of "administrator" or "root" accounts on systems that are connected to the Internet.
  6. It is strongly suggested to restrict or eliminate the use of the Telnet protocol and similar protocols. 
  7. Avoid acquisition or implementation of systems that allow users or computers from the Internet to gain privileged access (or access administrative interfaces) on Internet-facing systems. 

To fully understand these recommendations and the reasons for them, you should read the full text of the white paper, and discuss with your security team or security provider the potential risks to your business and operations systems. 

Your immediate attention to these recommendations will help mitigate the risk of your cyber systems being misused or rendered unavailable, with all the actual and reputational damage such an event could cause.

If you have not done so already, sign up for the E-ISAC portal to receive further details on this and other cyber risks.  APPA also encourages you to use the E-ISAC forum to stay informed and to share information on any cyber or physical attacks, so those in the electricity industry can learn from each other and better defend themselves.  To sign up, please contact the E-ISAC for further information at: operations@eisac.com,  www.eisac.com , or use the 24x7 hotline at (404) 446-9780, press 2.  If you have trouble signing up, please contact Nathan Mitchell of APPA staff at 202-467-2925 or nmitchell@publicpower.org.

One way to get help in dealing with the on-going cyber threats to our industry is to sign up for the Cyber Mutual Assistance (CMA) program.  The Electricity Subsector Coordinating Council (ESCC) has initiated the CMA program to provide support to affected utilities in the event of a cyber-attack.  You can learn more about and sign up for this industry supported program by emailing cma@eei.org or click here for more details.