Breach Notification , Critical Infrastructure Security , Cybercrime
Attack Wipes 25 Years' Worth of Data From Local Electric Co.Colorado-Based Electric Cooperative Says Cyberattack Disabled Internal Systems
Delta-Montrose Electric Association, a local electric cooperative serving western Colorado's Montrose and Delta counties, says a cyberattack first detected Nov. 7 has disabled billing systems and wiped out 20 to 25 years' worth of historic data, leaving the utility operating under limited functionality, according to a local ABC affiliate.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
On its website, DMEA says the malicious attack - which has not expressly been categorized as ransomware - left its systems "not fully functional," particularly its support services, including payment processing, billing, and account changes. Its power grid and fiber network were not affected by the incident, the company said.
DMEA, which called the disruption "significant," said it "tentatively estimates" that it will be able to restore its payment system by Friday.
"[We] lost 90% of internal network functions, and a good portion of our data, such as saved documents, spreadsheets, and forms, was corrupted. It also impacted our phones and emails," the electric cooperative stated.
"[The days after the incident were] a confusing and frustrating time, especially for those of you who needed to do business with us. This isn't how we hoped to close out the year," DMEA CEO Alyssa Clemsen Roberts said in a statement. "And on behalf of all of us at DMEA, I am grateful for your patience, support, and understanding as we navigate this incident.
A spokesperson for DMEA did not immediately respond to Information Security Media Group's separate request for comment.
"Please be assured, we take the protection of your information very seriously, and we are sparing no effort to prevent future incidents," Clemsen Roberts said in her statement.
With co-ops owned by their local communities, however, this attack likely means residents will be dealing with increased costs stemming from response and recovery, according to Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy.
Investigation and Aftermath
In the wake of the attack, DMEA says it began working with a team of forensic and cybersecurity experts to investigate the attack's scope and impact on members. The forensic team, DMEA says, confirmed that there was no breach of sensitive data within the network. The alert on DMEA's website urges members "to follow best practices for password security, including using two-factor authentication whenever possible."
The investigation is ongoing, but DMEA says it remains "focused on … restoring services as efficiently, economically, and safely as possible."
The electric utility says that it is prepared to work with members to ensure a "return to normal" does not "cause undue hardship."
"With colder weather approaching and the holiday season already here, we recognize this incident has come at an unfortunate time," DMEA officials say in the alert.
Meanwhile, DMEA says in an FAQ section of its alert that it has also taken "significant measures to fortify our network and will continue to make improvements."
Clemsen Roberts says: "Moving forward, we are committed to investing in any security improvement recommendations that result from our investigation."
DMEA has suspended penalty fees and nonpayment disconnections through the end of January 2022.
'Destroy and Degrade'
Some security experts say this attack has characteristics of a ransomware hit, but regardless of method, it has succeeded in its goal of lengthy disruption.
"Whether or not this attack bears the badge of 'ransomware,' it certainly appears to fall into the broader category of impact attacks designed to destroy and degrade capabilities within an enterprise," says Tim Wade, a former network and security technical manager with the U.S. Air Force. "Critical infrastructure operators need to understand that they're a target and that if they've been building capabilities based on peer comparisons, those capabilities don't seem to be passing muster."
Wade, who is currently technical director at the firm Vectra AI, says, "Unfortunately, legacy IT is often plagued with a set-and-forget mindset, with security built as an afterthought. Organizations need to modernize towards resilience, giving them not just an opportunity to identify these attacks before material damage is done, but bring the recovery time down from months and weeks to days and hours."
And Lawrence, who is currently the CISO of the firm SecurityGate, says, "Hopefully, the future cybersecurity team [here] will be resourced, trained, and equipped to prevent this from happening again."
Critical Infrastructure Concerns
Securing critical infrastructure - including the electric grid - has been a top concern among experts and lawmakers in the wake of the Colonial Pipeline Co. ransomware attack in May - which led to a temporary shutdown and spurred fuel panic buying among consumers.
In the recently passed bipartisan infrastructure bill, some $1 billion has been earmarked for securing the systems of state, local and tribal governments. And a new Cyber Response and Recovery Fund has been awarded $100 million to support federal and nonfederal entities that have been affected by hacking incidents (see: Infrastructure Bill Features $1.9 Billion in Cyber Funding).
According to the White House, the package contains $50 billion directed to securing infrastructure from climate change, including droughts, heat and floods, as well as cyberattacks. More than $20 million was also directed to the Chris Inglis-led Office of the National Cyber Director, which is charged with unifying the cybersecurity strategy among sector risk management agencies - many of which have been focused on critical infrastructure.
Additional measures being actively considered include mandatory incident reporting for critical infrastructure - with a recent amendment to the must-pass defense spending bill from Sen. Rick Scott, R-Fla. It would require federal contractors and infrastructure owners/operators to report cyber incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours; the same parties would be required to report ransom payments within 24 hours (see: Senate Considering Several Cyber Measures in Annual NDAA).
Senate Majority Leader Chuck Schumer, D-N.Y., said in a letter to the Democratic Caucus on Monday that he expects to have a final conference agreement for the National Defense Authorization Act this week, with voting potentially occurring into the weekend - following negotiation setbacks over amendments that would receive a floor vote.