For utilities, it’s time to reassess DDoS protection

Last month I had the pleasure of interviewing Richard Hummel on our podcast. Given the timeliness and critical nature of cybersecurity threats to energy companies, I invited Richard to post this guest blog to elaborate on the challenges at hand.   — Jon Powers

By Richard Hummel, Threat Intelligence Lead, NETSCOUT

Cyberattacks against critical infrastructure like energy utilities can cause enormous disruption in the daily lives of millions of Americans. For proof, we need look no further than the cyber attack on Colonial Pipeline, which spawned fears of fuel shortages and sparked gas lines in large swaths of the U.S earlier this year.

In response, the Biden administration has launched a broad effort to increase cybersecurity at utilities and other critical infrastructure, with a proposed budget that includes nearly $10 billion for civilian cybersecurity next year, a 14% increase. Concurrently, a bill pending in Congress would allocate nearly $1 billion to state, local, and tribal governments to upgrade their cyber defenses, with utilities a primary focus.

But one form of attack that utilities should always be prepared for is the oldest, and most basic: distributed denial of service (DDoS). DDoS attacks flood targeted computers with illegitimate traffic to exhaust the network, causing lags or even stopping access outright. They are not technically complicated and so can be launched by malicious actors with even rudimentary knowledge. In fact, users on the dark web can pay to have a DDoS attack launched on their behalf for as little as $7.

A rising threat

The most recent DDoS attack to make the news targeted Luma Energy just 10 days after the company had become the primary electricity provider for the island of Puerto Rico. The attack took down the client portal and mobile app, restricting customers’ ability to access account information. What’s worse, it was launched at the exact time the company was battling another crisis, as a fire at an electrical substation knocked out power to more than 800,000 customers.

In 2020, we saw 10 million DDoS attacks compared to 2019, representing a 20% increase that impacted every industry and sector in the world. Specifically looking at the utilities sector, we observed 2.3k attacks in 2019 versus 7.3k attacks in 2020, representing a 217% increase in attacks year over year. The first half of 2021, we observed 4,800 attacks already with six months to go, putting us on track to once again see an increase in attacks year over year.

Increased vulnerability

Today, several trends within the utility sector are converging to increase the potential vulnerability to DDoS attacks, such as the proliferation of embedded Internet of Things (IoT) devices that enable remote monitoring and control, like smart meters that let utility companies measure energy usage without needing physical access to a property. These can not only be targeted for DDoS, but also compromised and appropriated to launch additional attacks.

Furthermore, consumers are demanding more digital services: they want to pay their bills and monitor their usage online, which gives more surface area, so to speak, for an attack. And the increase in the number of utilities employees working remotely due to COVID — thus relying on digital access themselves — has exacerbated the problem.

Increased mitigation

The good news, however, is that most DDoS attacks can be mitigated with proper planning and resources. A good first step for a utility would be to review the average network traffic. With this baseline, utilities can extrapolate what kind of capacity they’d need to address a DDoS attack. Because of the increase in devices and digital services, utilities should expect that their network needs have expanded dramatically.

PG&E

Another good step is formalizing a response plan should a DDoS attack occur — at NETSCOUT, we always say that it’s not “if” a DDoS attack will occur, but “when.” Furthermore, even if a utility has already made such a plan, it’s worth updating it to include work-from-home factors, new IoT features on the network, and what would happen if a DDoS attack interrupted operations at key vendors or suppliers, as “supply chain attacks” are also a crucial vector.

When energy service is disrupted, life stops for consumers and businesses alike. But while DDoS attacks can pose a significant risk to utilities, especially as the industry becomes more reliant on digital services and IoT devices, with proper preparation it’s entirely possible to stop this form of potentially devastating cyber attack.

Tune in:

Richard Hummel was recently interviewed on Experts Only podcast. Listen to Episode 95 here.