Certrec’s Fas Mosleh presents some of the biggest cyber threats currently targeting utilities. This webinar includes examples of attacks on utilities that have happened in recent years and action steps to prevent future breaches. As cyber-attacks from nation-state and domestic threats increase, it is important that power plants meet these threats to avoid costly reputational and equipment damage. For more, visit: https://www.certrec.com/

1. Why are Plants so Vulnerable?
1
Fas Mosleh
Certrec Alliances, Strategic Marketing
- Software, cybersecurity, systems executive
- Helped develop HP’s Information security business
October 2022
Understanding Cybersecurity Threats within Utilities

2. Mission:
Helping utilities be more reliable and secure for a better, safer grid/BES
How:
SaaS apps and technology to reduce risk of non-compliance for utilities

3. 3
Key Electric Grid Components
Digitization
Compliance
Cybersec

4. Agenda
• The Security Landscape
• Why are Power Plants Vulnerable?
• Critical Infrastructure Attacks
• Examples of What Went Wrong
• Action Steps to Take
•Q&A

5. The
Security Landscape

6. 6
1
2
3

7. Security: Industry Importance
2021 State of the Electric Utility Survey of early 500 utility professionals
7
Utility Dive’s most recent State of the Electric Utility Survey named cyber and physical security the most pressing concerns for utilities, with
72% saying it is either “important” or “very important” today. Figure 2 shows the top five power sector issues.
Electric power generation, transmission and distribution are part of the utilities sector (NAICS 22). This sector includes
all electric generating facilities powered by fossil fuels, including coal, petroleum, or gas as the power source
#1
Concern

8. Security: Where We Are [IMMINENT THREAT]
“Clearly, the threat isn’t on the horizon. It’s
already on the doorstep.” Source: Siemens @ WEF
8
Cybersecurity attacks on the energy sector = risk for public
safety, economy, business operations and the environment
Source: West Monroe survey
67% of utility leaders cited cybersecurity as their top
concern of their converged IT and OT network.
1,726 electric utility professionals surveyed WW- gas, solar, wind
Source:
Siemens

9. Security: Where We’re Going [INCREASED OCCURRENCES]
9
X5
+70%
In 4 years
Source:
Cisco

10. 10
•Trend No. 1: Attack surface expansion
Remote work
Public cloud
More connected supply chains
•Trend No. 2: Identity system defense
Misuse of credentials is now a primary method
•Trend No. 3: Digital supply chain risk
Gartner:by 2025, 45% of organizations worldwide will have experienced
attacks on their software supply chains, X3 in 2021.
•Trend No. 4: Vendor consolidation
Security products converging. Vendors are consolidating security
complexity, cut costs and improve efficiency
•Trend No. 5: Cybersecurity mesh
Deploy and integrate security to assets, on premises, in data centers or in
the cloud.
•Trend No. 6: Distributed decisions
CISO and centralized role will set policy, with cybersecurity leaders placed
in different orgs to decentralize security decisions.
•Trend No. 7: Beyond awareness
Human error features in most data breaches,
Traditional approaches to security awareness training superceded by
holistic behavior and culture change programs
Security: Where We’re Going [TRENDS]

11. 11
Source PWC 2022
Global Digital Trust Insights Survey

12. Security Landscape: Who & Why [TOP THREAT ACTORS]
12
Who are They?
1) Nations
2) Cybercriminals
Why do They Do it?
• Creating Havoc
•Aggression
Threat-Attack-War
• Money
• Fame
• Fun

13. 13

14. Security Landscape: How They Do it [MALWARE]
14
Disguised as
legitimate code
or software.
• Trojan
Replicates and
spreads itself
• Worm
Needs a human
to deploy
• Virus
Uses your trust
as a weapon
• Phishing emails
[Smishing]
Malicious Software

15. 15
Using your trust as a weapon
Deeper Dive: Phishing
Cyber criminals use your trust to easily gain unauthorized
access to your assets

16. 16
Deeper Dive: Phishing Example

17. 17
Do the following to reduce the risk
• Do not click on ANY link
….until you review the email carefully, taking note of the sender,
and the sender’s domain
• Is it real?
Check the communication carefully and its source/domain
• Ask yourself, “how likely is it that xxxxxxx would have
asked me to do this?”
• Corroborate via non-email.
At the slightest suspicion, contact the sender via phone or text to
validate it. Do not reply to the email
• Ensure your virus/email scanning programs are up to date.
Deeper Dive: Phishing
Don’t get caught.

18. Why are
Power Plants Vulnerable?
Cybersecurity attacks on the energy sector = a way to attack
public safety, the economy, and the environment

19. 19
Merging OT and IT networks
Authentication weaknesses [Hackers, Devices]
Remote access on the increase
Slow installation of security updates
Why are Power Plants Vulnerable?: MARS
Source: Certrec Market Research

20. 20
MARS: Merging OT and IT Networks
IT systems
Data-centric computing;
OT systems
Monitor events, processes
and real world devices
Analog, isolated, discrete
Digital, connected, global
OT and IT – Closer than ever

21. 21
MARS: Authentication weaknesses
Network-accessible devices with weak or default
passwords serve as gateways to more critical systems

22. 22
MARS: Remote access on the increase
Entry points for hackers have grown due to IoT
devices, remote access via VPNs, and smart phones

23. 23
MARS: Slow installation of security updates
Reduced or non-dedicated IT means delayed software
security patches and update

24. 24
MARS: Threat Impacts

25. 25
Deeper Dive: Passwords
Weak passwords, password-sharing raises the risk of
security breaches and damages
• Passwords are not to be shared or displayed
publicly
• No default or weak passwords
• If the system has been compromised, change
passwords immediately
• Use a password policy enforcer

26. Good Passwords are Long, Complex, Hard to Guess
26
Deeper Dive: Passwords

27. Critical
Infrastructure Examples

28. 28
1. 18000
2. 100
3. 320,000
4. 499/F 500
•Russians compromised ~100 companies inc. Microsoft, Intel and Cisco;
• plus a dozen government agencies: US Treasury, Justice and Energy departments and the Pentagon.
•Hackers compromised SolarWinds' Orion software build via an already-compromised Microsoft
Office 365 account.
•Backdoors distributed into user networks once tainted Orion updates were installed.
Infrastructure Attacks: Solar Winds

29. 29
1. 5500
2. 5M
3. 100
Attackers got into the Colonial Pipeline network through an exposed
password for a VPN account, which used the same password for the VPN
in another location ( whose password was compromised in a prior breach.)
Infrastructure Attacks: Colonial Pipeline

30. 30
Infrastructure Attacks: Ukraine
On December 23, 2015, the power grid of Ukraine was
hacked, which resulted in power outages for roughly
230,000 consumers in Ukraine for 1-6 hours
During the outage, threat actors flooded customer
services phone lines with calls to prevent reporting
https://www.bbc.com/news/technology-61085480

31. 31
Sandworm hackers deployed Industroyer2 malware
against high-voltage electrical sub-stations in Ukraine
+ other destructive malware like CaddyWiper.
Which is being spread around Ukraine, deletes data
on infected computer systems.
Infrastructure Attacks: Ukraine

32. Examples:
What Went Wrong

33. 33
Stuxnet, is a worm that was designed to target the nuclear capabilities of Iran. It overcomes physical barriers
because it spreads by USBs, which creators know will get plugged into the power plant environment.
What Went Wrong?: Found USB

34. 34
What Went Wrong?: Found USB
[SOLUTIONS]
•Free – is probably not free
•Culture of always be suspicious because hackers
are always finding new ways to get inside
•Train employees to not bring in foreign items
•NO USB drives allowed – implement strong
rules/procedures

35. 35
Physical crash
What Went Wrong?: Car Crash

36. 36
What Went Wrong?: Car Crash
[SOLUTIONS]
•Surveillance cameras with AI
•Strengthen the perimeter
•Perimeter breach alert system
• Leverage Multi-Layer Security

37. 37
What Went Wrong?: Disgruntled Employee

38. 38
What Went Wrong?: Disgruntled Employee

39. 39
Improve access control and deploy integrated employee access controls with system authentication –
THEIR ACCESS is removed automatically and immediately on resignation/firing
Deploy surveillance with (AI) based image recognition warning system
Train the management team to recognize internal threats and speak up !
Cyberlock
What Went Wrong?: Disgruntled Employee
[SOLUTIONS]

40. Actions
Steps to Take

41. Actions: What did we learn?
41
Cyberattacks are on the rise
Nation threat actors are capable and motivated
Ransomware is data kidnapping
Basic cybersecurity practices like strong passwords and MFA
Training and awareness
Patch devices and sw constantly
Strengthening perimeters
Trends
Important
It’s not a matter of if but when
Culture and procedures

42. Actions: Learning and Take Aways
How to protect against attacks
42
• Strong passwords and policy enforcement
• Deploy Multi Factor Authentication
• Change employee behaviors
• Physical security and surveillance
• Enhance or augment IT
Stop the invaders
Address internal inhibitors

43. Actions: Learning and Takeaways
How to protect against attacks
43
• Strong passwords and policy enforcement
• Deploy Multi Factor Authentication
• Change employee behaviors
• Physical security and surveillance
• Enhance or augment IT
Stop the invaders
Address internal inhibitors
• Frequent and protected backups
• Access control integrated with authentication and authorization
• Operational Technology oversight OT/IT linkage points – identify SPOFs
• Encryption across networks, servers, clients
• Video surveillance with embedded IP video analytics, motion detection
• Penetration testing (physical and cyber across OT and IT)
Improve proactivity

44. 44
Password policy enforcement solution e.g. Netwrix PPE (Anixis)
MFA (e.g. Duo, Okta, Eset, MS, G)
SIEM (e.g. Tripwire )
SoC monitoring
Training the staff
Gap analysis for OT, IT, Physical = address those gaps
Actions: Solutions to Consider
Make cybersecurity awareness, prevention, and security best practices a part of your culture.
PHYSICAL
DATA
OT
Review the cybersecurity risk plan

45. 45
Actions: Solutions to Consider
Certrec CIP Healthcheck at https://www.certrec.com/cip-health-check/

46. Legit companies
– don’t request your sensitive information via email
– have links that match legitimate URLs (no hidden hyperlinks)
– don’t send unsolicited attachments
– don’t force you to their website
– know how to spell
– know grammar and punctuation
– have domain emails
46
Is the logo off?
Is the grammar or punctuation off?
Is the spelling poor?
Did they include a link or an attachment?
Did they ask for sensitive info?
Are the links genuine or come with hidden links
Are the emails using a company domain?
Anything else?
Actions: Phishing - Things to Communicate/ Check

47. 47
Actions: Resources
• Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT)
Video: Why Big Tech Wants You To Ditch Your Password - https://youtu.be/faU_d7DqoiY
Why MFA? https://www.okta.com/resources/whitepaper-security-built-to-work-outside-the-perimeter-v2
How to address cybersecurity in the energy sector (McKinsey)
https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-energy-sector-threat-how-to-
address-cybersecurity-vulnerabilities
Cyber security for Utilities: https://www.certrec.com/resources/white-papers-presentations/cyber-security-
critical-infrastructure-threats-and-examples-white-paper-presentation/
NERC CIP: https://www.certrec.com/resources/white-papers-presentations/white-paper-the-importance-
of-critical-infrastructure-protection-in-the-energy-sector/

48. Conclusions
48
Cyber threats are on the rise
Be informed and implement simple measures
Expect the unexpected and plan aggressively
Prevent damage by reducing the chances of a breach
(to facility and BES)

49. Q & A

50. Thank you
Linkedin Certrec
@Certrec Twitter
Fas Mosleh MSEE BS Physics ARCS
Certrec Corporation
Office: 817-738-7661
www.RegSource.us
On-demand help at www.CertrecSaaS.com
Critical infrastructure checkup at NERC CIP Healthcheck
Marketing@Certrec.com to get a copy of the presentation