Could ransomware at a power company cause a black out?
- April 23, 2020
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyber Crime, Cyber Crime, Cyberattack, Cyberattack, Industrial Control System Security, Power Grid, Power Grid, Ransomware, Ransomware
An international energy company — serving power to millions of people — was hit by a cyberattack.
The attacker claim to have taken over computer files and demanded more than $10 million in ransom, according to news reports.
Could that mean lights out for customers?
We checked with industrial cybersecurity experts to find out.
Power Company Attack
Power and natural gas for more than ten million customers.
That’s the reach for EDP, or Energias de Portugal, based in Lisbon but serving the U.S., Latin America, Europe and Africa.
What if you take this company’s computers and encrypt or scramble all the files?
Attackers claim they have done so with the Ragnar Locker ransomware, according to the publication Bleeping Computer, and they’re also asking for more than $10 million dollars in ransom.
EDP says they’ve been working to fix their computers systems since the attack on April 13. The good news?
“The power supply service and critical infrastructure, however, have never been compromised and we continue to ensure this operation as normal,” the company’s statement said.
No power out for EDP customers.
But ransomware attacks can cause problems for industrial systems.
Cyber criminals launched ransomware at a natural gas company in the U.S. last year, hitting not only business computers but also some computers that help run the industrial side.
Some devices that provided visibility into operations went blind.
The company decided to shut down the pipeline for 30 hours until they could repair.
Could Ransomware Lead to a Blackout?
The computers that run your office and run the industrial side of a power plant are different.
Ransomware attackers usually gun for the office computers so they can shut down the business and demand a big payout.
But the industrial side — known as industrial control systems or ICS — uses some office-style computers for visibility and support.
In the gas pipeline attack, the ransomware jumped from the office side to the industrial side and took over those office-style computers.
That made it difficult for pipeline operators to see what was happening and control the flow of gas.
What About a Power Plant?
Experts say power plants can continue to operate without that visibility, at least for a while.
“My simple answer to most of this is that we have a culture of engineers who work in very dangerous conditions. Interruptions to production are planned for and practiced,” said Dave Foose, security solutions program manager at Emerson Automation Systems.
“Loss of view or loss of control would be dealt with in as quick and safe of a manner as possible,” he added in an interview with Archer News.
How long could power plants continue without visibility? That depends on the organization.
But power plants train on how to run “manually,” or without computers, to help them and may able to go for weeks if necessary.
With ransomware at your power plant, you might not even notice a flicker at your home.
Attacks on computers at a power plant have much less impact than attacks on physical equipment, experts say.
“The bulk electric system can handle disruption,” said Bryan Owen, cybersecurity manager at OSIsoft. “Destruction is a different matter.“
“The real threat is destructive attacks, not computers, but actual damage to substations, generators, transmission lines etc.,” he said.
Losing Power in Johannesburg
A ransomware attack that does not directly cause a power outage can still lead to power troubles.
Cyber crooks infected a power company with ransomware in Johannesburg, South Africa, in the summer of 2019.
People reported sitting in their homes in the dark, but not because the malware infected industrial controls.
That power company uses a system where customers pre-pay for electricity.
The ransomware stopped the office systems that allow people to pre-pay.
No payment, no electricity.
Not a direct attack on industrial control systems, but an impact on delivering power.
“What many of the ransomware incidents have highlighted is the importance of supporting systems to deliver the product or service the ICS is generating,” said Dale Peterson, founder and CEO of Digital Bond.
“Even if the ransomware does not get to the ICS, it may cause an ICS shutdown if supporting systems, such as ordering, scheduling and shipping, are unavailable,” he added.
Power Plants as Targets
Are ransomware attackers trying to turn off the power?
Not likely, according to Travis Smith, engineering manager for security and compliance solutions at Tripwire.
“I don’t see the energy sector as being a prime target for ransomware authors,” he said. “Many of these utilities are not multibillion-dollar organizations who can afford to pay up a seven- or eight-figure ransom.”
Ransomware creators program their code to look for certain types of files, he said.
Creating code to shut down power would probably not earn them much money, according to Smith.
Demand ransom before you shut off the power, and you give utilities time to get rid of the malware.
Demand ransom after you shut off the power, and utilities will go into manual operations and restart the system.
“The return on investment for a cybercriminal to create a complex piece of malware designed to shut off power for any amount of time just isn’t there,” he explained.
That kind of attack “would most likely serve the interest of other nations,” not your typical ransomware criminals, he said, like the Ukraine power attacks of 2015 and 2016.
Keeping Ransomware Out of Your Power
It’s not hard for attackers to get into the office computer side of a company, power or otherwise.
Send a phishing email and an employee may click, letting ransomware in.
But companies are supposed to separate the office network from the industrial network, so attackers can’t jump over and mess with industrial systems.
Many power plants are required to do this by law.
Other industrial systems are not.
The natural gas company hit by ransomware did not separate networks well and did not plan adequately for cyberattacks, according to the Department of Homeland Security.
DHS advises companies to follow cybersecurity guidelines and prepare.
“Our grid in North America may be fairly resilient to loss of generation due to any circumstance,” said Foose. “Regulation over the last few decades has drilled participants to the bulk electric system to have disaster protection plans at the ready.”
Did EDP pay the $10 million-plus ransom?
A company spokesperson told Archer News that EDP never received a ransom note and has only seen the ransom information through news reports.
Teams are working to restore the “normal functioning of the systems as soon as possible,” according to the company’s statement.
“EDP is working with the authorities, that were immediately notified of the attack, in order to identify the origin and anatomy of the attack,” the statement said.
Main image: Woman with candle in dark living room. Image: Alpgiray Kelem/iStock