About a quarter of roughly 1,500 electric utilities sharing data with the North American power grid regulator said they installed the malicious SolarWinds software used by suspected Russian hackers, the regulator said on Tuesday.
The electric utilities did not report any significant follow-on activity from the hackers, but the broad exposure of the sector points to the challenges of protecting utilities from supply-chain breaches.
A minority of the electric-sector organizations that downloaded the malicious code used the affected SolarWinds software in their “operational technology” networks, a broad term for more sensitive software and hardware used to manage industrial operations, according to the North American Electric Reliability Corp. NERC is a not-for-profit regulatory authority backed by the U.S. and Canadian governments.
But Manny Cancel, a senior vice president at NERC, said clear communication on the espionage campaign from the U.S. government helped the sector to reduce its exposure to any hacking.
“The overwhelming majority [of electric organizations] did not experience any of the indicators of compromise, meaning the command-and-control activity,” Cancel said at a media briefing Tuesday. “From that respect, we did not see what some of the other sectors were seeing with the compromise.”
NERC had asked its members in December to report back on how exposed they were to the tampered software made by Texas-based SolarWinds. Though the alleged Russian spying operation seemed to focus on U.S. government agencies rather the electric sector, NERC didn’t want to take any chances, given the history of Moscow-link hacking groups targeting U.S. critical infrastructure.
Roughly 18,000 of SolarWinds’ clients across numerous sectors downloaded the tampered SolarWinds network monitoring software. Given the product’s popularity in the electric sector, the issue posed “a potential threat” to parts of the power sector, NERC said in December.
“It should come as no surprise that this high percentage of companies report having downloaded the malicious binary when you look at the scope and scale of the Sunburst campaign,” said Nick Andersen, who was a senior Department of Energy cybersecurity official until January. Sunburst refers to the tampered SolarWinds software.
“We have publicly stated since the publication of the 2019 Worldwide Threat Assessment that both China and Russia possess the ability to disrupt energy infrastructure in the United States,” Andersen added.
Cancel, who also heads the Electricity Information Sharing and Analysis Center (E-ISAC), said that the introduction of remote work during the coronavirus pandemic “created a broader opportunity” for various hackers to target the electric sector.
“We saw adversaries targeting and trying to take advantage of this across our industry,” he said. Membership at the E-ISAC grew by 25% last year, Cancel added.