By Brian Grimmett, KMUW, Kansas News Service
Hackers pose a growing threat to nearly any network, including the power grid that lets you reliably turn on the lights.
Experts say utilities offer an attractive target: operations with money to extort and that simply can’t afford a shutdown.
Yet the two largest utility companies in Kansas, Evergy and Kansas Gas Service, declined interviews on their cyber defenses. Instead, they issued statements that they take threats seriously. They say they work with experts and maintain ongoing conversations across their industry to ward off attacks.
Still, the danger remains that attacks that shut down the country’s largest fuel pipeline last month and the world’s largest meat processor — attacks overcome only after combined ransom payments topping $15 million — could hit electric companies.
“Any electronic device that is attached to the internet is at risk,” said Phil Kirk, regional director for the Cybersecurity and Infrastructure Security Agency.
Utility companies that provide a service that needs to operate uninterrupted are particularly interesting targets for cyber criminals looking to steal a company's information and extort them for a ransom.
In response to the latest high-profile attacks, Kansas utilities, large and small, say they’re doing what they can to keep themselves protected.
Ransomware hackers typically tap into a corporate or government system, seize control of its data or even its controls, and demand payment to back off. It’s not a new kind of attack, but has seen a considerable uptick in use in the past few years.
A report from the cybersecurity company Palo Alto Networks says that U.S. companies paid about $115,000 in ransomware attack payments in 2019. That increased to more than $310,000 in 2020. The 2020 number includes a $10 million dollar ransom payment from Kansas-based tracking and fitness company Garmin.
Recently, a ransomware attack in May forced Colonial Pipeline to shut down one of its major pipelines leading to gasoline shortages on the East Coast. A Russian-tied hacker group known as DarkSide is linked to the attack that targeted the company’s financial systems. Colonial paid a $4.4 million ransom to get its systems back online.
“It’s our belief that paying ransom only encourages more of that malicious activity,” Kirk said.
The FBI has been able to recover about half of the ransom Colonial paid.
How to stay protected
The two largest utility companies in Kansas, Evergy and Kansas Gas Service, said they’re continuing to train employees on basic cybersecurity defenses. That includes how to avoid clicking on phishing emails, where an attacker tries to get someone to click on a link in an email that actually installs malware on their computer.
“It’s not clear how effective or helpful that is, but we keep trying,” said Josephine Wolff, an assistant professor of cybersecurity policy at Tufts University.
She said keeping a company protected from attacks is difficult, but there are a few things that all of them should be doing.
Companies should be creating backups of all of their important data and information. And those backups should be on a separate system or network than the originals. They should also be updating their software as soon as any update becomes available.
She said another important component is being able to quickly detect any unusual activity on a system and having methods to be able to isolate and detach that computer from the broader network.
“We should never assume that anybody knows what they’re doing when it comes to cybersecurity,” Wolff said. “Look at the massive companies that have tremendous resources to invest in security that are being compromised this way in just the past few weeks.”
Some companies are turning to cyber insurance to mitigate the costs of a successful attack.
The Insurance Information Institute says the number of cyber insurance policies in the U.S. grew from 2.2 million to 3.6 million between 2016 and 2019. Those policies provide more than $3 billion in coverage.
“About five or six years ago, not many U.S. companies were buying cyber insurance,” Loretta Worters, vice president of communications for the Insurance Information Institute said. “They had a hard time quantifying how high of a risk they faced and whether or not there was a cost/benefit associated with transferring some of the exposure to insurers.”
The plans often include coverage to recover the costs of ransom payments. Cybersecurity expert Wolff said that’s a bad idea.
“That’s a really damaging trend,” she said. “Because it means that the victims themselves sort of feel like, ‘Oh, I’ve prepared for this. I’ve got insurance. I’ll just make this payment. I won’t even have to cover most of it.’ And that kind of routinizes the whole idea of paying the ransom as just a normal cost of doing business.”
Ultimately, protecting against cyber threats such as ransomware attacks is a game of cat and mouse. Attackers are searching for vulnerabilities as quickly as even the most careful companies can find them and fix them. And experts say if the attacks, especially against critical infrastructure, continue to remain a lucrative prospect, you’ll continue to see their popularity and impact grow.
“A vulnerability that does not exist today may be found and taken advantage of tomorrow,” said Kirk, the federal cyberdefense official. “It’s not a do it once and you’re done thing — it’s an ongoing continuous effort.”
Brian Grimmett reports on the environment, energy and natural resources for KMUW in Wichita and the Kansas News Service. follow him on Twitter @briangrimmett. The Kansas News Service is a collaboration of Kansas Public Radio, KMUW, KCUR and High Plains Public Radio - focused on health, the social determinants of health and their connection to public policy. Kansas News Service stories and photos may be republished by news media at no cost with proper attribution and a link to ksnewsservice.org.