Fighting the Enemy in Plain Sight


It read like a psychological thriller. In the early morning hours of May 7, hackers dropped a ransom note onto a computer in the control room of the Colonial Pipeline. The security system for the line responsible for bringing fuel to almost half of the East Coast had been breached.

In the note, the hackers claimed to have “exfiltrated” data from the company’s shared drive. They wanted a big payday in exchange for the return of the files. In an effort to contain the attack, Colonial voluntarily shut down the entire 5,500 miles of pipeline. And then they paid the ransom—$4.4 million in the form of bitcoin.

It’s the latest attack in the growing trend of cybercrime targeting the energy industry. Last year, the industry had the third-highest number of cyberattacks, behind only finance and manufacturing, and up from ninth highest in 2019, according to IBM Security X-Force.

“It is a business requirement for all utilities to continually defend against new types of cybersecurity threats,” Tim Anderson, manager of IT security at Dairyland Power Cooperative, told Wisconsin Energy Cooperative News. “Dairyland has a cybersecurity program in place to do this and reduce risks across all areas of its business. Many attackers are hunting for an easy opportunity which means if we make it difficult, they will move on to an easier target. Against more sophisticated threats, we partner with our government and industry peers.”

Just days after the Colonial Pipeline incident—which shut the line down for six days leading to fuel shortages in North and South Carolina, Georgia, and Virginia—President Joe Biden signed an executive order calling for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyberattacks. This builds on his previously announced plans to ramp up cybersecurity in the utility sector.

“It begins with a 100-day sprint to improve cybersecurity in the electric sector, and we’ll follow that with similar initiatives for natural gas pipelines and water facilities,” Biden said.

“This latest cybersecurity directive from the White House has no immediate impact on electric cooperatives, but its requirements could benefit co-op and private-sector cyber defenses in the long run,” said Bridgette Bourge, National Rural Electric Cooperative Association (NRECA) legislative director on cybersecurity issues.

NRECA has been working with the U.S. Department of Energy (DOE) to improve cybersecurity with a program dedicated to information sharing. With grants totaling almost $10 million, NRECA is working to expand the “Essence” program, a sophisticated anomaly-detection tool that can identify and warn of possible network breaches in real time. It will be the first system to connect to the federal government’s Cybersecurity Risk Information Sharing Program (CRISP), which uses DOE resources to assess and distribute actionable threat information to the energy sector.

“Partnerships like this are vital as we work to keep the electric grid secure and reliable,” Jim Matheson, NRECA CEO, said when the grant was announced in May. “As threats and threat actors evolve, electric cooperatives consistently work to improve their defense capabilities. Collaboration and cooperation are two strengths that co-ops draw on as they work together to implement cybersecurity solutions.”

Immediate alerts to a potential breach are critical because, according to cyber-crime experts, hackers are increasingly organized and able to infiltrate a company’s internal system to gain access to a wealth of information. Theresa Payton, CEO of Fortalice Solutions, says hackers have three common “tricks” to gain access to systems. They hack into remote platforms, use email phishing schemes, and use ploys to compromise employee credentials.

Nate Melby, Dairyland’s chief information officer, says that along with NRECA’s groundbreaking program, the energy industry and the cooperative world are building a force of their own against criminals working to threaten our power supply.

“The good news is that cybersecurity as a discipline has matured, allowing us to share intelligence and information across multiple organizations, constantly monitoring and updating our protocols,” Melby said. “As a critical service provider, we are continually updating practices and searching for vulnerabilities that could become an opening for criminals. Our comprehensive cybersecurity program includes continual security testing and vulnerability assessments. We are focused on testing our technologies, educating employees on cyber safety, and strengthening the processes we all use every day.”

The Federal Bureau of Investigation was able to identify a group known as “DarkSide,” and, with a warrant, seized much of the bitcoin back. Due to fluctuations in the value of the currency, they recouped $2.3 million, money that will not fund the operations that seek to hold hostage the companies we depend on the most.

This means, in this real-life psychological thriller, the good guys won in the end. But you can bet there will almost certainly be a sequel. —Julie Lund