Utilities saw fewer Q1 ransomware attacks than other sectors. A Dragos analyst explains why.

Ransomware is “the foremost widespread cybersecurity threat impacting industrial organizations worldwide,” Abdulrahman Alamri, senior adversary hunter at Dragos, wrote in an April blog post analyzing global cybersecurity incidents in the first quarter. But the electric sector was relatively unscathed, notching just a single incident, compared with more than 100 attacks on the manufacturing sector.

Utility Dive reached out to Alamri to ask about the disparity: Is the electric sector better protected than others, and is there a risk of complacency among utilities?

To some extent, the difference in attack numbers has to do with the size of the industries, Alamri said in an email. Since manufacturing is the largest industrial sector “by number of entities,” it reports the highest numbers of incidents, Alamri said. Ransomware groups are “generally opportunistic and financially motivated, aiming their attacks at entities where they perceive the greatest opportunity to achieve their goals,” he said.

Since the start of 2023, Dragos has observed a rise in ransomware attacks “leading to operational disruptions in numerous industrial organizations,” he said. The organization, which monitors the activities of ransomware groups, including their postings on dark web leak sites, is aware of “many instances” where ransomware operators achieved some level of disruption to operational technology when an attack on an information technology environment “prompts an organization to shut down elements of OT environments as a precautionary measure,” he said.

That type of disruption occurrred in 2021 when Colonial Pipeline was shut down following a ransomware attack. The ransomware never migrated into the pipeline’s OT environment, but the company shut down operations as a proactive safety measure, leading to disruptions in gasoline and jet fuel deliveries along the East Coast.

The manufacturing, transportation and industrial control systems equipment and engineering sectors accounted for about 90% of first quarter incidents around the world, according to Dragos. The oil and gas sector experienced eight incidents, or about 4% of attacks. The mining, communications, electric and renewable energy sectors each had two or less attacks, according to the cybersecurity firm.

NERC CIP rules help protect electric sector

The electric power sector has security rules and best practices in place that have helped to create a culture of security, Alamri said.

The Critical Infrastructure Protection standards managed by the North American Electric Reliability Corp. “do not directly address ransomware as a separate risk,” Alamri said. However, “many of the policies, procedures and technologies that organizations have had to implement related to different NERC CIP standards do assist electric sector organizations in preventing their exposure to ransomware.”

In particular, utility personnel are trained on NERC CIP-005, which focuses on electronic security perimeters, and CIP-007, which covers systems security management, Alamri said, noting that those rules “emphasize both network and system security in ways that are commonly described as best practices for preventing malware, specifically ransomware.”

NERC and the Federal Energy Regulatory Commission are evaluating new standards, including CIP-015 on internal network security monitoring and the inclusion of virtualization in many of the revisions to other CIP standards, Alamri added.

“Outside of the existing work processes currently being undertaken by the CIP drafting teams, it is unlikely that additional rules and regulations are necessary at this time other than normal revisions,” he said.

Matt Calligan, director of growth markets at ArmorText, said the utility sector doesn’t necessarily need more rules but “what’s lacking is clarity on the application of those rules and how the overlapping requirements of the various regulations often put utilities in a Catch-22.”

Calligan pointed to questions regarding whether utilities can use cloud-based systems. NERC’s rules require grid asset owners to have certain control of the devices operating their software and cloud computing makes that difficult.

To read the complete article, visit Utility Dive.