- Colorado cooperative Delta-Montrose Electric Association (DMEA) was hit by a "malicious" cyberattack on Nov. 7, and since then has been without payment processing, billing and other internal systems. The utility also said it suffered a significant data loss, but there was "no breach of sensitive data within our network environment" and that its distribution grid was not impacted.
- Though DMEA has not used the term ransomware, experts say it appears the utility is the victim of a ransomware attack and the month-long recovery time points to the need for good system and data backups.
- The National Rural Electric Cooperative Association (NRECA), of which DMEA is a member, said it is working with the federal government and electric cooperatives to "provide cybersecurity training, help co-ops modernize their systems and use technology to stay ahead of the curve."
DMEA is a small power utility, serving about 35,000 meters. But the size of a utility has little to do with its vulnerability, according to security experts, as hackers grow more sophisticated.
"Given that Colonial Pipeline had a similar attack, it demonstrates all size utilities are vulnerable to phishing and/or password re-use mishaps," Lila Kee, GM for GlobalSign's North and South American operations, said in an email. GlobalSign is an identity services company offering cloud-based solutions.
While DMEA has not published details of the attack, Kee said those are the likely attack vectors. "The difference between smaller utilities and larger ones is more post-attack, and their ability to respond and contain," she said.
Colonial, the largest refined products pipeline in the United States, was back online less than a week after a May ransomware attack forced it to shut down. The company paid a roughly $4.4 million bitcoin ransom to speed the recovery.
Security experts say the prevalence of ransomware attacks means no utility is safe — and data backups are an essential part of response planning.
"Any company, at any size, is a target," Mark Carrigan, SVP of process safety and OT cybersecurity at Hexagon PPM, said in an email. "In-depth defense strategies need to be implemented regardless of size. But having a thorough back-up/restore strategy as part of the business continuity plan is possibly most important.
"Multiple redundancy of stored proprietary information is critical to ensure you meet or beat your recovery time objective," he added. DMEA's month-long recovery time "is evidence that a gap exists with current backup systems and processes."
DMEA, in a Nov. 29 update to its customers, said that as a result of the attack the utility "lost 90% of internal network functions, and a good portion of our data, such as saved documents, spreadsheets, and forms, was corrupted. It also impacted our phones and emails."
DMEA also said that this week "we tentatively estimate we will be able to begin accepting member payments via SmartHub and our payment kiosks ... we also tentatively estimate we will be able to resume member billing."
The resumption of those bills "will result in members receiving multiple energy bills close together," DMEA warned. But despite the disruption, the utility's power grid and fiber network "remain unaffected by the incident."
That means DMEA "followed a cardinal principle for critical infrastructure: Complete separation of the IT and OT networks, so there is no direct logical path by which an infected IT system might infect the OT network," security consultant Tom Alrich said in an email.
Security experts say they expect more information on the attack will come out, helping to protect critical infrastructure and in particular smaller providers.
"The electric sector has a track record of mutual assistance and sharing lessons learned and I’d expect to hear more in the coming weeks on overall impact from what seemingly sounds like a ransomware attack," Dragos Vice President of Professional Services and Research and Development Ben Miller said in an email.
"This is especially important for fellow co-ops who work with very constrained budgets and resources," Miller said.
NRECA has two programs in place to help member utilities remain secure: the Rural Cooperative Cybersecurity Capabilities program provides educational cybersecurity tools and resources to cooperatives, and the anomaly-detection platform Essence can warn of possible network breaches in real time.
"Our work to maintain and strengthen the cybersecurity of the grid is reflected in both of the above programs, and in our ongoing partnership with the Biden administration as part of their 100 day [industrial control system] initiative," Stephen Bell, NRECA senior director of media and public relations, said in a statement.