Cyber Attacks: Protecting Your Utility During the COVID-19 ... Webinar - AESI... · Hacking Details Electronic public information services and public safety systems have been compromised

Cyber Attacks: Protecting Your Utility During the COVID-19 Crisis Mark McKinney, Doug WestlundAESI-US, Inc.

May 19, 2020

ENGINEERING AND MANAGEMENT CONSULTANTS

Discussion Topics

Introductions / Objectives of the Webinar The Cyber Threat Landscape During the COVID-19 Crisis Hacking Details Associated With the New Threat Landscape How to Protect Your Utility Q & A

AESI Webinar - Cyber Attacks During the COVID-19 Crisis - May 19, 2020 2


About AESI


Industry’s Trusted Advisor. Proven. Credible. Reputable.

Established in 1984, AESI is an engineering and management consulting firm providing pragmatic and sustainable engineering, technical and management solutions.• Assisted over 500 utilities, government agencies, commercial,

industrial and institutions across North America and internationally. • Substantiated and proven long-term public municipal utility

experience and with co-op G&Ts and EMCs.• Selected by Hometown Connections for cyber security, IT/OT and

regulatory services for public / municipal power. ENERGY SOLUTIONS

OPERATIONAL TECHNOLOGY

CYBER SECURITY

REGULATORY COMPLIANCE


About the Presenters


SCADA Engineer by training

~ last 20 years assisting utilities with their cyber security challenges

Contracted by the APPA and the NRECA for cyber training for their members

Additional areas of focus: operational risk assessments, cyber governance, development of cyber programs

Board Director

Doug WestlundP.Eng., MBA

Mark McKinneyMSIM, CISSP, CISA, CFE, CCFE

Enterprise Architect, Solutions Architect

CISO: Municipal Utility (E/W), Regional Healthcare System, Ambulatory Care & Fire Services Company

DHS PCII (Protected Critical Infrastructure Information) Assessor

Force Protection Officer, U.S. Army (Ret.)

Auditor: CIP (NERC, SERC), PCI, HITECH, FISMA, FFIEC

Consulting Member of the U.S. Department of Homeland Security National Protection and Programs Directorate


Objectives for the Webinar

Present the realities of the threat landscape for utilities that has developed during the COVID-19 crisis, and provide pragmatic recommendations on

what you can do to protect your utility immediately.



The Current Cyber Threat Landscape



The Modern Hacker


Prime adversaries to Utilities:

State Sponsored Actors

Organized Crime – growing segment !

Hacktivists

Team based, well funded

Strategic, persistent & patient

Highly skilled technically and well trained

They are motivated by:

Money

Influence…

But increasingly it’s really all about the money


Leveraging on the COVID-19 Emergency

“Cyber criminals are trying to leverage the emergency by sending out “phishing” attacks that lure internet users to click on malicious links or files. This can allow the hackers to steal sensitive data or even take control of a user’s device and use it to

direct further attacks.

Hackers have started to capitalize on this situation by sending out emails that purport to offer health advice from reputable organizations such as

governments and the WHO but that are really phishing attacks.”


https://thenextweb.com/syndication/2020/04/05/coronavirus-pandemic-has-unleashed-a-wave-of-cyber-attacks-heres-how-to-protect-yourself/

https://www.forbes.com/sites/zakdoffman/2020/03/12/chinese-hackers-weaponized-coronavirus-data-to-launch-this-new-cyber-attack/#1cec45838610

https://theconversation.com/phishing-scams-are-becoming-ever-more-sophisticated-and-firms-are-struggling-to-keep-up-73934

https://www.who.int/about/communications/cyber-security


COVID-19 Phishing Examples


“New COVID-19 prevention and treatment information! Attachment contains instructions from the U.S. Department of Health on how to get the vaccine for FREE”

“URGENT: COVID-19 ventilators and patient test delivery blocked. Please accept order here to continue with shipment.”

Too good to be true !

Urgent request

Disguisedlink.

Should be https:

https://www.eff.org/deeplinks/2020/03/phishing-time-covid-19-how-recognize-malicious-coronavirus-phishing-scams


The Threat Landscape - Teleworking

“In typical fashion, attackers are gearing up to take advantage of the surge in teleworking prompted by the pandemic.

The speed at which organizations are being forced to respond to the unfolding COVID-19 health crisis could be leaving many of them vulnerable to

attack by threat actors rushing to exploit the situation.

Over the past few weeks security vendors and researchers have reported an increasing number of malicious activities tied to COVID-19 that they say are

elevating risks for organizations across sectors.”


https://www.darkreading.com/vulnerabilities---threats/attack-surface-vulnerabilities-increase-as-orgs-respond-to-covid-19-crisis/d/d-id/1337369

https://www.darkreading.com/vulnerabilities---threats/attack-surface-vulnerabilities-increase-as-orgs-respond-to-covid-19-crisis/d/d-id/1337369


Work At Home – Expanding the Utility Attack Surface


Corporate Applications and Technology(IT)

Operational Applications and Technology

(OT)

Utility Customers (Residential, Commercial,

Industrial)

ExternalRisk

Distributed Energy Resources -MicroGrids

SystemRisk

CommunicationsRisk

UnpatchedRisk

Bulk Electric SystemICCP

ConnectionTS

ConnectionExternalRisk

PrivacyRisk

External Risk

InsiderRisk

Third Party Vendors

LegacyRisk

Work at Home

Unsecure Wi-Fi, Connections &

Apps

Unprotected confidential info

Eavesdropping on Video Calls


Polling Question #1

Approximately what % of your utility staff are currently working from home ?

Less than 25% 25% - 50% 50% - 75% Greater than 75%



The Threat Landscape for Utilities

March 10, 2020: “The North American Electric Reliability Corp. called for power providers to update business continuity plans in case of a pandemic outbreak …

NERC also recommended utilities be on the lookout for cyberattacks taking advantage of the panic and using "coronavirus-themed opportunistic social

engineering attacks" to hack into power companies' networks. Social engineering attacks are when hackers use social interactions to manipulate targets into giving

up sensitive information.”


https://www.eenews.net/stories/1062570713


The Threat Landscape for Utilities


Attempts to compromise critical infrastructure systems and services are up nearly 400% since the beginning of 2020, according to cyber security officials at the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division within Homeland Security that tracks and investigates attacks against

ICS and corporate networks.

Actors are using the distractions of migrating to modified operations to maintain business continuity and confusion associated with remote workforces to carry

out wide-ranging cyber assaults on utilities and their suppliers.


Hacking Trends Associated With The New Threat Landscape



Hacking Details

Phishing and vishing attacks related to COVID scams have increased dramatically.

Phishing in the forms of: U.S. Center for Disease Control impersonations and misinformation

Stimulus relief

Fake refunds

Unusual account activity

Counterfeit testing kits and personal protective equipment



Hacking Details

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are up sharply and continue to rise as more people turn to virtual options for conducting

business, shopping, education and accessing news related to the pandemic.

Denial of Service Attacks in the forms of: Department of Health and Human Services Healthcare organizations State and local health departments Overwhelm legitimate websites causing slow or no response DNS intercepts and routing Users to counterfeit sites (MITM, waterholing)

Palo Alto’s Unit 42 threat intelligence team reports more than 100,000 COVID-related domains have been registered



Hacking Details

Electronic public information services and public safety systems have been compromised to spread misinformation and cause confusion.

Infiltration of cellular text messaging systems to send disinformation about shutdown of healthcare and government services (D.C., Boston, Kansas, West)

Utility OMS compromised False outage information released

911 systems compromised Fraudulent dispatch information sent to first responders

Fake active shooter incident reported



Hacking Details

Business and healthcare services are being disrupted to further cause confusion and insecurity.

Compromised conferencing solutions such as Zoom Business meetings and education delivery have been “Zoombombed”

Improperly configured VPN and remote access services Reported attempts to compromise healthcare IoT devices, which are often not well-

maintained and kept up to date Attempts to compromise technology-driven manufacturing production

Slow production and delivery of medical devices and supplies such as masks Attempts to steal biometric identity information to create fake identifications

Facial-recognition patterns and fingerprints Compromised endpoint protection solutions (A/v, A/malware) signature updates being

disabled



Polling Question #2

Have you noticed an increase in unusual activity, such as: Higher than normal call volumes into customer service Increase in suspicious emails

Unusual account activity detected – click here to change your password

Increased traffic to your public websites Other unusual activity None of the above



How to Protect Your Utility


1) Ensure that your endpoint protections (anti-virus, anti-malware, etc.) are up to date and that your home networks are properly secured

2) If using online conferencing and collaboration tools like Zoom, enable additional controls to better secure your online workspace

3) Tighten electronic security around your SCADA and control environments

4) Subscribe to Threat Advisory Services: MS-ISAC, E-ISAC

5) Be vigilant for suspicious emails and telephone calls – provide training for your staff

6) Monitor physical security around your facilities that are unattended - request additional patrols from local law enforcement when available

7) Patch, patch, patch


Q & A



Thank You


Doug Westlund

Senior VP

AESI

[email protected]

416.997.8833

Mark McKinney

Director Cyber Services

AESI

[email protected]

407.259.5271

mailto:[email protected]



CMUA Contact

Christine Chapman, CMPEvent and Membership Manager

California Municipal Utilities Association(916) 326-5800 (main line) | [email protected]

(916) 326-5804 (direct) | (916) 827-7126 (cell)915 L Street Suite 1210 Sacramento, CA 95814




This presentation and others like it are archived and viewable atwww.cmua.org/OnDemand

Documents

Cyber Attacks: Protecting Your Utility During the COVID-19 ... Webinar - AESI... · Hacking Details Electronic public information services and public safety systems have been compromised