Hackers Target European Power Association'Cyber Intrusion' Should Serve As a Wake-Up Call, Experts Say
The European Network of Transmission System Operators, which represents over 40 electricity transmission operators throughout the continent, revealed this week that hackers penetrated its IT network, but it provided few details. Security experts say this incident is another wake-up call for the industry.
On its website, ENTSO-E notes that the organization is continuing to monitor the situation, but it says it does not appear that any of its member organizations were affected by what it calls a "cyber intrusion."
"A risk assessment has been performed, and contingency plans are now in place to reduce the risk and impact of any further attacks," ENTSO-E says in its statement. "It is important to note that the ENTSO-E office network is not connected to any operational [transmission system operators] system. Our TSO members have been informed and we continue to monitor and assess the situation."
Headquartered in Brussels, ENTSO-E represents more than 40 electricity transmission system operators across 35 countries in Europe. And while the organization is an EU entity, it also works with utilities based in non-member countries to ensure the steady flow of electricity.
Warning of Things to Come?
While ENTSO-E does not share any industrial control system or operation technologies with the electrical utilities that make up its membership, security experts warn that this incident, as well as others, should serve as a wake-up call to the industry, both in Europe and the United States.
"If an adversary successfully infiltrated one of the organizations, it could potentially leverage that access to, for instance, send phishing emails to additional targets," Selena Larson, security researcher at security firm Dragos tells Information Security Media Group.
In January, Dragos issued a research report that found attackers are increasingly probing North American electric sector's computer infrastructure for weaknesses, although the study also noted that the industry is getting better at detecting and mitigating this type of hacking (see: Hackers Increasingly Probe North American Power Grid).
And while the utility industry is getting better at stopping direct attacks, this could also be one reason why hackers might attempt to infiltrate electrical and power utility firms through third-party affiliates, Larson says.
A Dragos blog published this week points out that the New Mexico Public Regulation Commission, the state regulatory body that oversees the state's power plants and utilities, sustained a ransomware attack in January. The attackers were able to shut down the agency's website, according to the a Albuquerque Journal report.
While the attack vectors in the New Mexico Public Regulation Commission and the ENTSO-E incidents are not yet known, Larson notes the hackers in both incidents seemed to want to target a third-party affiliate, which potentially could lead to a much larger network intrusion against a power or electrical utility.
"Both of these entities would be interesting targets for an attacker who wants to leverage trusted partnerships between the target entities and utilities or other organizations they work with to facilitate further attacks," Larson says.
In a few cases, attackers have actually targeted the utilities themselves. A September 2019 report by North American Electric Reliability Corp revealed that intruders had probed weaknesses in the network firewalls of an unidentified U.S. power utility to attempt a distributed denial-of-service attack. The attack took place in March 2019, causing a brief communication disruption between remote sites and the utility's main control center (see: Hackers Attempted DDoS Attack Against Utility: Report)
Utility companies, which rely on industrial control systems to help run facilities, can take steps to limit their exposure when a third-party affiliate is hacked or attacked, Larson says.
For instance, the owners and operators of utilities can limit access to their industrial control systems by using network segmentation to isolate their internal systems from outside firms and third parties, he says.
"Access controls should be implemented to ensure only required individuals can access these systems," Larson says. "Companies should also be in regular communication with vendors and contractors to identify maintenance, business and related operations to determine schedules and identify baseline legitimate activity."
Managing Editor Scott Ferguson contributed to this report.