In early March, an energy company that provides power to customers in California, Utah and Wyoming was hit with an extended cyberattack, according to a report filed with the Department of Energy. Although the attack — described as creating a “denial of service condition” at the utility — failed to cause service interruptions to customers, it did affect electrical system operations for more than 10 hours.
The event highlights the threat posed by denial-of-service events, including both distributed-denial-of-service (DDoS) and telephony-denial-of-service (TDoS) attacks. Although successful cyberattacks on energy companies are rare, they do happen, and they have the potential to create chaos. For example, Russian hackers were blamed for a power outage that left 250,000 Ukrainian residents without power for two days in 2015.
Because it operates a part of U.S. critical infrastructure, the energy sector represents a significant target for such attacks. Companies in this industry should take steps to protect themselves from DoS attacks, including basic cybersecurity hygiene and the deployment of advanced tools designed specifically for such threats.
What Kind of Threat Do DoS Attacks Pose?
Across industries, up to one-third of companies fall victim to DDoS attacks, which cost businesses around $40,000 per hour. The technology behind DDoS attacks is relatively inexpensive and easy to launch, and if just one cybercriminal, terrorist or adversarial nation-state actor is able to successfully disrupt utility service, the economic and other consequences can be serious.
A study of 100 utility executives from 20 different countries shows that, although successful cyberattacks are rare, they loom large in energy leaders’ psyches. Fifty-seven percent of utility executives are concerned that a cyberattack could interrupt the supply of electric power. Almost two-thirds (63 percent) say they think their country faces at least a moderate risk of having its electricity supply interrupted by a cyberattack at some point in the next five years. And only 39 percent say they “maintain resilience readiness” — meaning that well over half of utility leaders think their organizations may have difficulty rebounding from an event such as a DDoS attack, even as threats continue to grow and become more sophisticated.
How Are Attacks Carried Out?
DoS attacks overwhelm networks with bogus traffic, bogging down victim computers so they cannot operate normally. DDoS attacks present a more serious threat by using a network of hacked “botnets” of computers to carry out attacks. A rarer variation, TDoS events, block incoming and outgoing calls. (This type of attack was used in the 2015 Ukraine outage.)
Hackers are finding new ways to utilize DoS attacks. Rather than merely attempting to overwhelm companies with avalanches of traffic, some attackers are launching smaller attacks that last only a few minutes — just enough time to knock security systems such as a firewall or intrusion prevention system offline so that hackers can engage in malicious activity. Because these DoS events are so small, they may go undetected by companies’ security teams, giving attackers an edge in their plans to launch more serious attacks.
How Can Energy Companies Defend Themselves?
The March event that affected the utility in the Western U.S. was caused by a known vulnerability and was mitigated by a previously published software update. This illustrates the vital importance of basic “blocking-and-tackling” security measures, such as patching, in preventing DoS attacks.
Also, many vendors have developed tools, such as Radware DefensePro and F5 DDoS Protection, built specifically to defend against DDoS attacks. These solutions provide functionality such as behavioral analysis of attacks and automatic routing to ensure the best course of mitigation. These tools are important because traditional security solutions such as firewalls typically aren’t sufficient to proactively protect against DoS attacks.
Finally, energy companies should diligently monitor security alerts, tune policies to prevent false positives and implement a security emergency response plan to map out how they’ll respond in the event of a DoS attack or other cybersecurity event — including areas where help is needed from a third party.