The number of cyber intrusions and attacks targeting the Electric sector is increasing and in 2020 Dragos identified three new Activity Groups (AGs) targeting the Electric Sector: TALONITE, KAMACITE, and STIBNITE. A full two-thirds of the 15 AGs that Dragos actively tracks are performing Industrial Control Systems (ICS)-specific targeting activities focused on electric utility operations.
Although disruptive attacks have not been publicly observed since 2016, as adversaries and their sponsors invest more effort and money into obtaining such capabilities, the risk of a disruptive or destructive attack on the electric utility industry is growing significantly. Moreover, supply chain risks and ransomware attacks continue to enable intrusions and have disruptive impacts on electric utility operations.
The electric sector leads other industrial sectors in security investments worldwide and while this was historically focused on enterprise information technology (IT) networks, significant advancement in operational technology (OT) security is underway.
For example, in North America the electric sector has been working for over a decade to address cyber threats through board-level decisions preparedness exercises like GridEx, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards; and most recently a 100-day action plan at the direction of the White House in partnership with the Department of Energy. Dragos Neighborhood Keeper technology was selected as part of this effort by the Electric sector and as a result, visibility across OT networks in the U.S. increased from less than 5% to over 70% of the electric system.
Global Electric Cyber Threat Perspective Now Available
While the number of intrusions in the electric sector has increased, we have not observed new groups demonstrating ICS-disruptive or destructive capabilities. However, new interest in the electric sector shown by XENOTIME, an AG that has already targeted Safety Instrumented Systems in the past, is a sign that the industry should maintain a high level of attention. As one of the most dangerous threat activity groups publicly known, XENOTIME focuses on physical disruption and long-term persistence.
Supply chain threats are increasing in scale and sophistication, as evidenced by the attacks on SolarWinds revealed in December 2020. Software updates and routine patching are not the only potential entry vector that could be abused in a supply chain type of intrusion. Original Equipment Manufacturers (OEM), vendors, and third-party contractors could provide an ingress into electric utility environments via compromised or poorly-secured direct network connections and remote access connections. Ransomware remains a threat to electric operations and could potentially disrupt critical operational systems or operational support systems.
Our recent report, Global Electric Cyber Threat Perspective, covers these topics in more detail and provides a threat assessment overview for all phases of the power generation and delivery process including generation, transmission, and distribution. It also describes the 11 AGs that Dragos tracks that are explicitly targeting electric systems or attempting to gain access to them.
Get the latest intelligence
Ready to put your insights into action?
Take the next steps and contact our team today.