Dive Brief:
- About 25% of power utilities were exposed to the SolarWinds hack, officials at the North American Electric Reliability Corp. (NERC) said on Tuesday, though no subsequent activity from hackers was detected beyond the initial breach.
- A much smaller number of utilities revealed that the vulnerability reached into operational technology (OT) and industrial control systems, but NERC said overall there were few operational impacts from the attack. Security experts warn it may be too soon to tell, however, if all of the SolarWinds impacts and vulnerabilities have been found or addressed.
- The White House is rushing to develop a plan to protect the United States' grid, including from supply chain vulnerabilities like the SolarWinds compromise. Bloomberg reported on a draft of the plan, which includes an examination of vulnerabilities in grid components, incentives for security upgrades and an audit of high-impact points in utility systems.
Dive Insight:
The power sector avoided the worst of the SolarWinds attack, said NERC SVP and Electricity Information Sharing and Analysis Center CEO Manny Cancel, at a briefing with the media on Tuesday.
The "overwhelming majority" of utilities "did not experience any of the indicators of compromise, meaning the command-and-control activity," Cancel told reporters. "From that respect, we did not see what some of the other sectors were seeing with the compromise."
Security experts caution against too much optimism, however.
"I don't think we can confidently conclude that there hasn't been follow-on activity yet," David Doggett, senior strategist at Red Balloon Security, said in an email. "We are possibly overlooking the likelihood of a more disturbing outcome — not just spying, but persistent access in order to disrupt networks, devices and industrial control systems."
The SolarWinds attack, uncovered last year, hit hundreds of organizations, including multiple U.S. government agencies. It is believed to be the work of Russian hackers associated with that nation's intelligence service. The compromised software was downloaded 18,000 times, across many industries.
Doggett said utilities will need to continue looking for "things left behind" in embedded devices, including network equipment and embedded control devices.
"These packages could be backdoors left behind that could be used to steal or modify data, shut down networks or provide future access to systems," Doggett said. "Overall, I think we're still in early innings with SolarWinds but more so with these types of attacks and how they can reach deep into our critical systems."
Because of the sophistication of the SolarWinds attack, "utilities should assume compromise at all times," said Brian Coulson, principal threat engineer at LogRhythm.
"When a nation state embeds itself in a network, it's unlikely they will be fully uncovered," Coulson said.
Observers say the White House's cybersecurity plan could be introduced as soon as this week.
"The initial details of the plan actually look constructive for the industry," Gary Kinghorn, marketing director at Tempered Networks, said in an email.
"Not many details have been made available and it's clear many of them still have to be worked out. But, as opposed to mandates to manufacturers, as we have seen with [Internet of things] device manufacturers, offering incentives to critical infrastructure providers is likely to help shore up security issues," Kinghorn said.
Utilities were lucky they avoided follow-on attacks, said Nick Cappi, VP of product management at PAS Global.
"Especially after the event became public and the 'bad guys' knew the gig was up," Cappi said in an email. "If you couple that with the longer than necessary time to identify and triage impacted assets, you have a large window of time for counter moves from the bad guys."
It's possible there could be follow-on actions utilities have not recognized, said Cappi, or that there could be more coming. But the "bigger concern is what other technology is sitting in our OT space compromised by this group or others that we just don't know about yet."