Executives from multiple U.S. electric utilities on Monday convened a phone call to discuss a critical vulnerability in software made by SolarWinds, the federal contractor at the heart of an apparent cyber-espionage operation.
The briefing, hosted by an industry-government group known as the Electricity Subsector Coordinating Council, is just one example of the wide ripple effects of the malicious tampering of SolarWinds’ software by suspected state-sponsored hackers.
The SolarWinds compromise has reportedly led to the breaches of multiple U.S. federal agencies, including the departments of Treasury and Homeland Security. The affected software is widely used in the electricity, oil and gas and manufacturing sectors, and the process of assessing some organizations’ exposure to the bug has only just started.
“We have to make sure we’re breaking down some of these concepts so they understand the impact to them as critical infrastructure owners and operators,” said one U.S. official involved in SolarWinds briefings for the electricity industry, who spoke on the condition of anonymity.
Securing supply chains has long been a focus for many electric utilities and energy organizations. But the SolarWinds ordeal could be a learning experience for others in the sector, according to experts.
Robert M. Lee, CEO of industrial cybersecurity company Dragos, said many organizations that use industrial control systems — the computers that help control machinery — are waking up to the fact that SolarWinds software is integrated into these systems.
“This compromise means that there are numerous organizations with compromised versions of SolarWinds in their ICS networks,” Lee said. “Whether or not it’s accessible to the adversary depends on those companies’ architectures.” He said he was not aware of any case in which the attackers had access to ICS networks.
Some electric utilities use the SolarWinds software, known as Orion, within sensitive ICS networks that are subject to regulatory standards, according to Patrick C. Miller, a consultant at Archer Security Group with extensive electricity-sector experience.
Organizations that comply with North American grid regulations would likely detect attempts to infiltrate such control systems, he said. Nonetheless, that the vulnerability appears to be in the hands of a highly skilled attacker is something organizations should take seriously.