We’ve known since at least 2013 that American utility companies are under constant cyber attack, but at the time I wrote that blog four years ago, lawmakers and the industry believed that their security was sufficient to withstand the incursions. Welcome to 2018, where everything is getting hacked, including, yes, American power utilities. According to recent disclosures from the Department of Homeland Security and reported through the Wall Street Journal, highly organized hacker teams backed by Russia have compromised the security of “hundreds” of utility companies, to the point of being able to cause actual interruptions in power flow.
What this means for you
Far from the Hollywood vision of suave, athletic spies dangling from wires over laser grid alarms, the majority of the reported hacks were achieved through the most mundane of attack vectors: email phishing and watering-hole websites that trick users into typing in their credentials for what they believe are legitimate access requests. The hackers targeted smaller vendors and service companies attached to the larger utilities, taking advantage of their typically smaller cybersecurity budgets as well as their proximity to the actual target. Once they had compromised the security of the vendors that serviced the targeted utility, they were able to become wolf in sheep’s clothing, and from there easily penetrate the relaxed perimeter.
While this is a gross simplification of a highly involved and concentrated effort that spanned years of work, it should again highlight the obvious weak-point in cybersecurity: people. Unfortunately, increasing security precautions have acclimated everyone to entering passwords every time our devices pop up a dialog box asking for one. Even those of us with training are hard pressed to carefully assess every authentication request. Until technology provides us with a better way to authenticate, passwords will continue to be a glaring weakness in security. Every time your device asks for a password, take a few seconds to assess if the password request is expected and, more importantly, properly formed. The latter does take some training, but as long as you are properly paranoid, that is a huge step in the right direction. The worst that could happen from canceling out of an unexpected password prompt is a few more minutes delay in getting to whatever information you were trying to access. Unless you are in a life-or-death situation, that delay could save you from a future blackout.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Yep, that’s how the Target breach occurred.