North American Electric Reliability Corp. (NERC), a non-profit regulatory authority that oversees utilities in the United States and Canada, revealed this week that about 25% of the electric utilities on the North American power grid downloaded the SolarWinds backdoor.
This does not necessarily mean that the electric utilities (roughly 375 in total) were all compromised; most of them reported no follow-on activity from hackers and did not allow the malicious code to come into contact with sensitive industrial operations. But the swift proliferation of the SolarWinds backdoor through so many of the utilities demonstrates a worrying level of vulnerability to supply chain attacks that is likely to prompt immediate attention from federal agencies and lawmakers.
1/4 of North American electric utilities breached in espionage campaign
The SolarWinds backdoor is believed to have been part of a coordinated attack on US federal agencies by Cozy Bear, the Russian state-backed hacking group accused of penetrating the Pentagon’s email system in 2015 and meddling in the 2016 election. The group used a vendor compromise attack that gave them access not just to a variety of federal departments, but also to a number of major businesses (including Fortune 500 companies) and hundreds of schools and colleges.
The vendor in question was SolarWinds, which produces a widely-used monitoring platform called Orion. The hackers were able to sneak malware into Orion’s updates from March to June of 2020, effectively giving them access to all of the customers using it. However, the nature of the attack was such that the hackers had to commit to a substantial amount of follow-up to actually penetrate systems, so most of those that downloaded the malicious updates are believed to have never actually had any data exfiltrated or tampered with. The hackers preferred to keep a low profile, going after only the juiciest targets so as not to tip security professionals off as to the existence of the vulnerability. In this case, that meant federal agencies such as the Department of Defense and the Department of State.
The electric utilities that were breached are thus far not reporting any follow-on activity from the hackers, so they appear to have been one of those lower-priority targets that the hackers never got back to before the SolarWinds backdoor was patched out (in spite of Russian hackers showing prior interest in the American electric grid) Additionally, NERC observes that only a small amount of the electric utilities that downloaded the malicious updates report connecting the SolarWinds software to the operational technology networks that are used to manage industrial facilities and control equipment.
SolarWinds backdoor exposes many, but few organizations actually exploited
The SolarWinds backdoor is estimated to have been established in about 18,000 of the company’s client networks, but thus far only a relative handful of government agencies appear to have been compromised.
Though the electric utilities do not appear to be among the institutions that were actively breached via the SolarWinds backdoors, the incident has caused renewed concern about the safety of the nation’s power grid. Bloomberg is reporting that the Biden administration has drafted a 100-day national security plan meant to shore up major vulnerabilities in the nation’s power system, with follow-on work that could persist for years. The draft will reportedly incentivize the electric utilities to make necessary security upgrades (such as monitoring equipment) and to share this information more freely with the government. The first stages of the plan will target the most critical sites that would have the biggest impact on the grid if compromised. However, there are some concerns from security professionals over the apparent assignment of the plan to the Energy Department rather than the Cybersecurity and Infrastructure Security Agency (CISA). The White House responded to the report by saying that CISA and the Department of Energy will be active partners along with other federal agencies.
Though foreign nations have not taken any aggressive action against the electric utilities or the power grid, federal government officials assert that Russian-backed groups have been actively exploring the possibility for years; the SolarWinds backdoors are only the latest in a long string of incidents. The Triton Group, which has passed malware to industrial systems in other countries, has reportedly been probing US electric utilities since 2017. The Texas power outage of early 2021, which left over four million without power for an extended period during an unusual series of winter storms, may have also played into this renewed focus on utility security as a demonstration of how fragile the system can be. It is estimated that at least 57 people died due to the prolonged loss of heat (and in some cases water as pipes that could not be warmed burst in the freezing weather).
In addition to the ongoing threat of Russian hackers demonstrated by the SolarWinds backdoors, there have also been flare-ups of incidents involving domestic threat actors and critical infrastructure. A former employee of a Kansas water plant was recently charged for an attempted attack in March 2019, and there was an incident in Oldsmar, FL in which an unknown party attempted to poison the water supply by increasing the levels of cleaning agent in it. Both attacks involved remote access of systems that were not entirely up to date.