5 Ways To Protect Against Ransomware

For Cybersecurity Awareness Month, NRECA’s Along The Lines podcast examined the topic of ransomware attacks and their threat to electric utilities in a 25-minute podcast. Host Scot Hoffman was joined by Ryan Newlon, NRECA’s principal for cybersecurity solutions, and Dave Eisenreich, a special agent with the FBI’s Cyber Division and that group’s liaison to the energy sector.

While we recommend listening to the podcast, we know it’s the type of thing that folks often say they’ll get to later…and then never do. So we put together a post with key takeaways in case you don’t get around to listening.

Why Ransomware?

Ransomware became a household term in 2021 when the Colonial Pipeline was shut down for several days after hackers attacked the company’s billing system. This type of intrusion is on the rise in the U.S. and around the world, with utilities serving as prime targets. 

As Dave, the FBI special agent, puts it:

“Our data showed a 200% increase in attacks. And that’s just the tip of the iceberg. Attackers know utilities can’t afford to be down for long. That makes them an attractive target for ransomware. Adversaries think they’re likely to pay up.”

Utility leaders across functions need to be aware of the potential for ransomware attacks and strategies for protection. That’s where Scot focused the conversation.

What is Ransomware?

Ransomware is defined as digital malware that encrypts a victim’s system. The malware often comes through a link in a business email and then encrypts critical system data and holds that data for ransom. Victims know their data is being held for ransom, because something pops up on the screen and says "If you want access to your data, pay us $X." If the victim doesn’t pay, they may permanently lose access to the critical data and end up paying more in recovery costs than the ransom.

The term ransomware isn’t particularly creative, and it’s a reasonably straightforward concept to understand. But preventing ransomware attacks is a more complicated effort.

There are several reasons why prevention is difficult:

• Ransomware is profitable. Because of its profitability, ransomware will continue to increase in frequency and become more sophisticated. Attribution (tracking, identifying and laying blame) is already challenging, and Artificial Intelligence (AI) will make malicious links look more real and intrusions harder to avoid.
• Pivots are common. When a hacker gains access to one person’s email, they often send an email from that person’s account to someone with higher-level access rights. That person clicks on the link (as it’s from a trusted source) and is compromised. “I get something from Dave — it doesn’t seem like ransomware.” Over time the attacker can gain access to system-wide credentials through one-to-one emails and malicious links. These are pivots, and they happen often.
• Hackers are creative. In a recent attack, a hacker changed the Microsoft Word icon on a user’s desktop, so that when the user launched Word, they embedded the malware, giving persistent access. The user noticed nothing.

So what can be done to prevent or mitigate ransomware attacks?

Prevention Efforts: What Most Utilities Do Already (And You Should Too)

Nearly every utility has some protection against ransomware in place. After all, ransomware is quite similar to other types of cyberattacks that have been around for decades. The most common protections include:

• Multi-factor Authentication: where users are required to provide two or more verification factors to gain access to sensitive data (such as a password and access to a known smartphone or computer)
• Network Baselines: where typical network behavior is tracked in order to more easily identify anomalous behavior
• Credential Management: where former employees have their access removed upon departure and contractors have limited access to critical data

But both Ryan and Dave stressed that while these are helpful foundations, they are not sufficient to prevent ransomware attacks. Together, the experts detailed five actions that utilities can take to improve their protections.

5 Ways to Protect Against Ransomware

1. Establish a relationship with the nearest FBI field office before an attack occurs.

They are the first people you’ll want to call when attacked, and it’s their job to help you prevent and mitigate cyber attacks. Opening a dialogue is as quick and easy as a phone call, but it’s worth knowing who you’re going to call if a crisis strikes.

2. Ask your lawyers for a checklist to use during a ransomware attack.

If they don’t have one, the FBI can provide a checklist that your lawyers can review. Legal counsel is always your second call. Being prepped ahead of time can make it easier to make fast, informed decisions.

3. Audit which devices are attached to both the office network (IT) and the control systems (OT).

The easiest way into critical systems is via a poorly connected device (like a printer) attached to both IT and OT systems. Often utilities won’t even think about which devices are connected to both and whether they need to be. Protections can be as easy as buying a second printer to eliminate that IT-OT bridge.

4. Ask for best practices from similar organizations and trade associations.

People don’t want to publicly share that they’ve been hacked, but it happens often. There are ways to anonymize what happened while sharing lessons learned with others. Organizations like NRECA or IC3 have teams that do this – connecting with them can help you proactively identify threats and lower risks. Often it’s as easy as joining an email listserv.

5. Assemble a task force and make sure the decision-maker has the data they need.

Most utilities have a crisis response team. Ensure that yours has a plan in place for cyberattacks and that everyone at your organization knows who to contact. Identify ahead of time who is going to make the decision for whether or not to pay a ransom. Give them estimates of the business value of different data sets. Ultimately paying the ransom is a business decision – one you’ll be forced to make quickly and under pressure, so gather estimates ahead of time to make a well-informed decision.

Protecting against ransomware requires vigilance. There are no investments that can fully protect an organization. But each of these steps can help lower your risk profile and improve your ability to manage ransomware attacks.

Stay Tuned for More Cybersecurity Resources

We’re grateful to NRECA and Scot, Ryan, and Dave for sharing their perspective. We’ll keep our eyes (and ears) open for more great cybersecurity resources and share them on our blog. Subscribe now to receive the latest updates straight to your inbox.