According to the North American Electric Reliability Corporation (NERC), about 25% of its 1500 registered entities – comprised of users, owners, and operators of the bulk power system in North America – indicated that they downloaded the impacted version of the Orion SolarWinds platform.
The utilities voluntarily reported to NERC that they had downloaded the malicious software while performing routine updates to their systems. They said this in response to an Alert issued by NERC in December 2020 after the SolarWinds breach was discovered. A spokesperson for NERC explained in an email that NERC regularly issues alerts “to gather data from entities about reliability or security issues.” NERC then analyzes the information it receives and sends its findings back to the entities to “raise awareness and help them develop mitigation strategies,” the spokesperson said.
“Helping our members to successfully prepare for and rebuff cyber and physical attacks is largely based on the insight gained through this voluntary information sharing from asset owner operators and partners,” the spokesperson added.
The SolarWinds Orion platform is used by large entities including the U.S. government. Scott Sternfield, Chief Technology Officer with Agile Inclusion and Chair of the Cybersecuring the Grid Educational Track at DISTRIBUTECH International, said he wasn’t surprised to learn that roughly 345 U.S. utilities are now at risk.
“Solarwinds is a very popular product for managing large IT networks (which utilities are),” he said in an emailed statement, adding, “The latest versions of the software were affected until the discovery date, so utilities who were following industry best practices of keeping their software up to date still ended up impacted.”
Could the Grid Go Down?
In December 2015 three Ukraine distribution utilities were cyberattacked resulting in a massive power outage. This was the first known cyberattack on a power grid and set a scary precedent for utilities worldwide.
Cybersecurity experts Lila Kee, General Manager of GlobalSign North and South America, and Richard Brooks, CoFounder of Reliable Energy Analytics, both said in an interview that the threat of a catastrophic event in the US is very real now that the malicious actors have already breached utility networks.
“I would say this is a vulnerability that leads to a big exposure to the grid, especially in terms of ransomware, said Kee.
Malicious actors could be anywhere said Brooks, “they can be sitting dormant just waiting for a message to arrive.”
The two agree that stopping an intrusion before it occurs is key and recently authored an article for POWERGRID on the importance of understanding your software bill of materials (SBOM).
“Once they are walking around in the network, it’s too late,” said Kee. Brooks added that a software attack this sophisticated is exceedingly difficult to eradicate so having a business continuity plan is essential.
“It’s a really hard problem to solve,” said Brooks.
How Can Utilities Safeguard their Networks
As part of the American Rescue Plan Act of 2021, the Biden Administration allocated $1.65 billion to agencies within the government to boost cybersecurity efforts. The agencies include the Cybersecurity and Infrastructure Security Agency (CISA), which is heading up the response to the SolarWinds Corp breach and the Technology Modernization Fund, which is focused on IT and government agencies and also includes cybersecurity.
The Electricity Information Sharing and Analysis Center (E-ISAC) says it is actively monitoring the supply chain compromise and its impact to the electricity industry, collaborating with members and partners to provide updated information and guidance. It released an alert on March 18, 2021, which was updated on April 9 that could help utilities detect “post-compromise threat activity,” using the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a free tool that scans for signs of APT (advanced persistent threat) compromise within an M365 or Azure environment within an on-premises environment. Learn more about the tool with the handy explainer video below.
Sanctions against the Perpetrator
The Associated Press reported that the Biden Administration is preparing to announce sanctions against Russia in response to the SolarWinds breach and other attempts to interfere with government. AP spoke with a U.S. official who said that Biden intends to expel about 10 Russian diplomats, and will make the announcement later today.
According to the AP, the SolarWinds breach affected several departments of the government, including Energy, Homeland Security, Justice and Treasury and that the agencies are still working to determine exactly what information may have been stolen.
This is an ongoing story. We’ll provide updates as they unfold.