Delta-Montrose Electric Association (DMEA) suffered a malicious cyber attack that shut down 90% of its internal controls and wiped 25 years of historical data.
The energy company warned customers would start receiving multiple energy bills close together but promised not to disconnect services for non-payment or impose penalties until January 31, 2022.
DMEA says the cyber attack started on November 7 before spreading and affecting internal systems, support systems, payment processing tools, billing platforms, and other customer-facing tools.
Cyber attack on a Colorado energy company a suspected ransomware incident
The Colorado-based energy company said the cyber attack targeted specific parts of the corporate network, corrupting documents, spreadsheets, and forms, thus suggesting it was a ransomware attack.
The cyber attack also affected the phone and email systems but spared the power grid and fiber network.
“Everyone’s ears perk up when ‘cyber attack’ meets ‘electric utility,’ but thankfully, the grid was not affected in this case,” noted Bill Lawrence, CISO at SecurityGate. “By the way, a large percentage of the smaller, distribution-level electric cooperatives are immune from cyber-attack since they don’t use automation for their operational technology.”
Lawrence, however, noted that the energy company failed to officially report the cyber attack as a ransomware incident despite the evidence. Ransomware attacks cause reputational damage to the victims, and many are hesitant to admit experiencing them.
“Still, this attack on their IT and billing networks stings, and while the term ‘ransomware’ is not in any of the reporting or DMEA’s explanation of events, they had a large portion of their data corrupted, and their internal phone system went down too. It will be interesting to learn the motive behind this attack if there are no ransom demands. Insider attacks motivated by revenge have had these hallmarks in the past.”
DMEA started an investigation to resume operations “as efficiently, economically, and safely as possible.” Sadly, the energy company is still struggling to recover from the cyber attack month later.
However, they implemented temporary payment arrangements and began phased restoration of internal network functions. Customers can pay through a check delivered personally or through the mail. However, those who fail to pay their bills on time would not face disconnections and penalties during the reconstruction period until the end of January 2022.
Saryu Nayyar, CEO at Gurucul said it would take up to two weeks for customers to resume paying their bills online or by phone.
“Utilities tend to have complex networks that often comingle enterprise operations with mission control, but apparently, the grid wasn’t affected,” Nayyar noted. “It’s not enough for these organizations to try to keep attackers out of the network. They also need analytics to be able to determine if their network has been breached and how.”
DMEA CEO Alyssa Clemsen Roberts also confirmed that the cyber attack caused extensive damage to the energy company’s data.
She lamented the unfortunate timing of the incident with the approaching holiday and cold season. A local media outlet reported that she did not provide critical information about the incident citing an ongoing investigation.
“In the process, about 90% of our internal controls and systems were corrupted or broken or disabled,” she said. “And we lost the majority of our historical data for the last 20-25 years. Since then, we have been slowly rebuilding our network.”
DMEA cyber attack did not leak sensitive employee and customer data
DMEA claimed that although a good portion of its saved data such as forms, spreadsheets, and documents was corrupted during the cyber attack, employee and customers’ sensitive data was not leaked. Roberts reiterated that the grid and the fiber were still strong and providing power and internet to DMEA’s customers.
Lawrence hoped that future cybersecurity teams would be adequately resourced, equipped, and trained to prevent similar incidents. And energy entities should learn important lessons from the DMEA cyber attack. He suggested that local communities would suffer the most from the attack on the energy company.
“Co-ops are owned by their local communities, so the local folks will be dealing with increased costs due to response and recovery from the attack.”
DMEA promised to allocate more resources to improving its security posture following the investigation’s recommendations.