The impact of a security breach can be severe for any company, but a breach at an electric utility can be catastrophic. This article by Vamsi Alla, CTO at Think Power Solutions examines common methods to head off bad actors phishing threats before they can wreak havoc.
In this world of increasing and evolving security threats, the security of any organization’s data is a high priority. This is especially true for electric utilities. Bad actors from all over the world are continuously looking for cyber vulnerabilities in the U.S. electrical grid. They range from nation-states to independent hackers and they pose a real threat to the power grid. While the most common attack methods are known to many utilities that have taken action to strengthen their security posture, vulnerabilities are not static, bad actors are constantly on the move and a utility’s cyber assets must continuously be observed and evaluated.
Phishing: The Greatest Security Risk to Electric Utilities
The impact of a security breach can be critical for utility companies, their vendors, and the public that they serve. Security compromise can happen via several different channels, but the most commonly used method is phishing. Today, over 70% of all the security breaches happen are phishing attempts, most of them delivered via email and they represent some of the greatest security risks to electric utilities.
Phishing is the use of social engineering to trick individuals into revealing personal information, like login credentials and other critical information, which can then be used to steal data or compromise systems. Some examples of social engineering include using a sense of urgency “your account has been hacked†or offering the email recipient something “you won a new car.†If an email is unexpected and offers something extraordinary, it is likely a phishing email.
Phishing often appears as communication that appears to be legitimate and from someone the user knows. Phishing is usually carried out via email spoofing, instant messaging or text messaging. In the corporate world email spoofing is most common – where the email appears to come from a known source, but instead, the email has been hijacked as a phishing attempt. These attempts usually involve a url/website or email that looks authentic but is generated by the hacker to lure users into revealing information that could compromise the security.
Also read: What Is Whaling Phishing? Definition, Identification, and Prevention
Phishing Attempts and How To Identify Them in Electric Utilities
1. Contract workers and their vulnerabilities
Based on their security audits, electric utilities have found that contract workers account for nearly 70% of their information security failures.
That is identifying the problem, certainly. Ongoing security failures can ultimately impact the ability of a contractor to do business with utility clients. However, contractors are vital to the safe and informed operation of a utility. They bring necessary expertise that improves operational efficiency and optimizes the financial performance of utilities. What can be done to better educate contract workers on phishing attempts and how to avoid them?
2. Management and non-management employees
On analyzing the reports of total phishing attempts in a year, we found that about 50% of the attempts were made on management-level employees.Â
The non-management employees have targeted the rest of the time. It is possible that the management credentials are available publicly allowing more access to systems where bad actors can cause the most damage.
3. Web spoofing, email spoofing, and logo imitation
Familiar tactics like web spoofing, email spoofing, logo imitation are on the increase in number and sophistication. There are fewer typos or spelling and grammar mistakes, and logo accuracy/similarity is better than what we have previously seen before. The targets are also specialized and not generalized. For example, an IT employee receives a targeted phishing email that may talk about IT infrastructure whereas a sales team would get an email spoofing a prospective client. And then there are the generic bait based phishing attempts that continue to happen.
4. Vishing and smishing
While traditional business email has been the most frequently used method, vishing and smishing are also being used with more frequency. Also, the current events are being brought into play as well. For instance, the use of COVID-19 and stimulus checks as hooks have been widely used in the last year. We anticipate the continuation of these political and non-political current events as context in these attempts.
Also read: Top 10 Anti-Phishing Software in 2021
Anti-Phishing Strategies for Electric Utilities
Anti-phishing strategies are more important than ever. Malicious actors will do all they can to trick email recipients into clicking on links or take other actions. Every email received should be scrutinized by the recipient, especially at an electric utility. Have employees ask themselves if the email looks suspicious? Check the email address from which the email came. Does it differ from the company or person from which it was supposed to originate? Mistakes in grammar. Logos are also a tip-off to an email phishing attempt.
Electric utilities can often test employees and contractors by sending fake emails similar to those used by cybercriminals to see which employees respond to the simulated attack.Â
That is helpful in identifying who needs education on how to approach emails and highlights how training should be given to all employees in phishing awareness and digital data and asset protection.
Key Takeaways To Thwart Incoming Cyber Threats
Email is vital to business communication and the most utilized tool for enterprise communication. Many utilities have taken the initiative to thwart incoming cyber threats through the development and implementation of a set of best practices.Â
Educating employees to simply pause, take a moment to scrutinize each email that they receive and think twice before clicking a link, is a significant step toward reducing the damage phishing has on electric utilities.Â
Mandatory training should be a requirement for all employees on at least an annual basis to emphasize the importance and necessity of protecting client data. Training, combined with state-of-the-art technical solutions like filtering for phishing mail, can help shut down bad actors’ phishing attempts before they penetrate our critical infrastructure system like electric utilities.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!