European Electricity Association Confirms Hackers Breached its Office Network

March 13, 2020

ENTSO-E, the European Network of Transmission System Operators, has announced that it found evidence of a successful cyber intrusion in its office network.

ENTSO-E represents 43 electricity transmission system operators from 36 countries across Europe, thus extending beyond EU borders. According to the organization, a risk assessment has been performed and contingency plans are now in place to reduce the risk and impact of any further attacks. "It is important to note that the ENTSO-E office network is not connected to any operational TSO system. Our TSO members have been informed and we continue to monitor and assess the situation," says a press release.

According to security firm Dragos, electric energy-associated organizations are at great risk of cyber intrusions and recently, these organizations have been experiencing more attacks. For example, in January 2020, the New Mexico Public Regulation Commission (NMPRC) experienced an alleged cyberattack, publicly reported to be ransomware, that compromised its web servers. Limited information exists at this time regarding the strain of ransomware or the full scope of the attack.

The commission, says Dragos, notes that the malware attack caused the website and electronic filing system to go offline, but no sensitive or confidential data was compromised. However, it's important to note that the commission keeps records of technical information on power plants and operations networks of the utilities and other entities it regulates - and if attackers were able to obtain such information, it could be used to facilitate operations against the utilities directly, claims Dragos.

Security Magazine spoke to Steve Durbin, managing director of the Information Security Forum, about the implications of this breach. Durbin notes that, "As our dependence on technology and our use of technology increases, so too does the need for sound risk management, assessment and mitigation increase in line with complexity. The dangers to an organization from cyber threats have increased in frequency and severity; more organizations are understanding that cyber is entirely embedded across the business and so a cyber threat is actually a threat to business as opposed to something that can be managed from an IT department.

This, Durbin notes, is particularly the case with critical infrastructure. "And cybercriminals know this. In the future, organizations of all sizes will need to make sure they are fully prepared to deal with attacks on their valuable data and reputations. The faster you can respond to these problems, the better your outcomes will be.

"Some key questions to ask are:

Can your core business survive a prolonged degradation or total loss of service? Have you identified single points of failure, decoupled core functions, rehearsed the doomsday scenario?
How would you restart your business? Have you created a reboot plan, rediscovered manual operations, documented your business processes and backed up your critical data?
How is your backup and recovery plan? Have you recently tested your plans, do they reflect the actual environment you are operating today?
How well designed are your systems for resilience (as opposed to security)? What are your black swans? What are your supply chain dependencies and do you have workarounds?
Finally, people. Your people will be key to the survival and recovery of your systems and business – how resilient are they? Have you tested their response under pressure?

"The time for running cyber incident response exercises based on breach and ransomware scenarios has never been more important," Durbin adds. "Coupling these with business continuity planning and rehearsal for the current Covid-19 outbreak will only result in a more crisis-ready organization, able to respond to attacks."

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, also told Security Magazine that, "It appears to have been fortunate that the attackers were detected early within the office network and it is very likely that this was at an early stage of the security incident typically part of the reconnaissance. The attackers were most likely probing for ways to hack and laterally move into the operational network. That could have a serious impact to critical infrastructure such as ransomware attacks or turn off the power to several countries as once.

"The risks from attackers gaining access to critical infrastructure can have devastating effects," Carson warns. He says that if successful, this could result in the power outages. "In this particular situation," Carson says, "it could have the potential of turning off the power to a number of European countries. Power is crucial. If disrupted, it can result in life threatening situations resulting from cyberattacks."

Carson adds that it is critical that "a risk assessment is performed to determine any further risks from attackers gaining access. Also, organizations must put best practices in place. This includes strong privileged access security, multi-factor authentication (MFA) and network segmentation to ensure attackers are unable to gain access to critical systems."

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.