top of page
  • culmegan

What are the Real Risks of Ransomware on Energy Systems?

In October 2022, I had the opportunity to attend the DOE Federal Energy Management Program (FEMP) Energy Exchange conference. This event is designed for agencies to ensure their workforce understands leadership directions, priorities, goals, and strategies. It’s also a unique opportunity to fulfill training mandates in alignment with legislative and administration workforce development objectives.

The track I spoke on, "Protecting Against Ransomware Cyber Attacks," was designed to provide some baselines about ransomware, discuss how it affects energy systems, and provide some examples of how the government is providing resources to protect energy systems against ransomware. Recent warnings from Federal law enforcement have noted that ransomware attacks are becoming "professional". A commitment to cyber hygiene and best practices is critical to protecting facility networks. The session highlights how ransomware attacks can target industrial automation and control systems, known vulnerabilities, and what can be done to better protect facilities in the future.

So what is the real risk of ransomware to energy systems? Ransomware against energy organizations is on the rise, and it was the most common type of attack against these organizations in 2021. Last year, North America saw more attacks on energy organizations than any other region.

How does ransomware get on systems?

Like all forms of cyber attacks, there is an initial point of access for adversaries before they upload the malware against the target systems and execute it. Most ransomware attackers are looking for the lowest handing fruit with the biggest pay day. With these motives, they are looking for easy ways to get access to many victims' systems. Phishing emails are a common technique to get an initial foothold.

Does ransomware affect OT systems?

Ransomware can affect OT systems, but enterprise systems (or more traditional IT systems) are more common targets. There are several reasons for this. Ransomware attackers are looking for quick and easy pay days, and the extra effort of pivoting into an OT network is often not going to create a large enough increase in the ransom amount. Ransomware is usually created for traditional enterprise systems, and it may not work on the operating systems for as many OT machines, or the effort required to customize it to these systems is not worth the potential payouts.

In the notable Colonial Pipeline ransomware event, headlines captured the impact of halt of oil and gas up and down the east coast, creating hours-long lines at gas stations and even closing some airports due to a lack of jet fuel. However, ransomware did not actually affect the systems that controlled the flow of fuel. Instead, it targeted some key servers that helped track the flows. Without these servers, the organization couldn't track the shipments or bill customers appropriately, so they shut the systems down out of a abundance of caution.

In similar events, wind companies in Europe were hit with ransomware in late 2021 and early 2022. Like Colonial Pipeline, these organizations made the decision to shut down parts of their OT systems, in this case, their remote access to wind turbines that they monitored or maintained.

Why are energy organizations a good target for ransomware organizations?

Last year,  North America saw more attacks on energy organizations than any other region. Energy organizations are good targets for ransomware attackers because of the high requirement for availability that they have. Shutting down both enterprise and OT systems can have rapid and extreme effects on critical infrastructure and human health & safety. The cascading impacts were evident in the Colonial Pipeline event, and we can imagine what would happen if power generators or transmission and distribution dispatch systems were crippled by a cyberattack. Many small municipal utilities and cooperatives (even city governments) have been hit by ransomware, affecting their public facing infrastructure, like bill paying sites. Automated systems could shut down power for customers who are late on their bills through no fault of their own, and even if this is handled smoothly, it still can cause confusion and concern.

Given the high requirement for availability, energy organizations may be more likely to pay the ransom to regain control over their systems, rather than waste hours, days, or weeks trying to recover the systems on their own without paying the ransom.

Who is executing ransomware attacks?

Ransomware has obvious tied to financially motivated cyber criminals. There are known and tracked ransomware gangs, who work together to develop ransomware, deploy it against targets, and collect the ransoms. They set up advanced systems to help victims pay the ransom, complete with help lines to call if you don't know how to transfer cryptocurrency. Some groups may purchase the malware from the original developers, creating networks that threat analysts track to understand the relationships between these criminals. Nation-state actors typically do not favor ransomware, but some ransomware gangs may be state-sponsored, or at least state-enabled. There are some cases where nation states may use ransomware, not for the financial motives, but rather for the purpose of destroying data, either to harm the victim or hide evidence of other activity they have conducted.

Is ransomware a real risk for energy systems? Short answer, yes. There's an interested threat actor with good reason to target energy organizations, exposure that continues to provide initial access into systems, and a decent payout potential. However, the consequences are variable. Just because ransomware affects an energy organization doesn't mean it affects the OT energy system. It's important to consider the dependency of OT systems on IT systems to assess the potential impact even if the OT system is not directly infected with the malware.

Joined on this panel by Colin Dunn, Tami Reynolds, and Christopher Bonebrake.

1 view0 comments


bottom of page