British power grid company Elexon has announced that it recently suffered a cyberattack targeting its internal IT systems that locked its employees out of internal email accounts and prevented them from using laptops remotely.
Elexon, which administers a crucial part of the power supply chain by managing money in electricity markets, notified energy companies on Thursday that its internal IT system suffered a cyber attack, rendering employees unable to send or receive any emails.
Elexon, owned by the National Grid’s Electricity System Operator (ESO), is responsible for keeping a balance between power supply and demand. The company takes 1.25 million meter readings every day and handles £1.5 billion of refunds each year by comparing how much electricity generators and suppliers say they will produce or consume with actual volumes.
"ELEXON has identified the areas that the cyber-attack has impacted and can confirm that all BSC Central Systems and EMR are unaffected and working as normal. However, at present we are unable to send or receive any emails," the company said in a statement posted on its website.
"Our internal emails have been affected and we have identified the root cause and are now resolving the issue. As we do not hold any customer-level data, there is no risk to the public. BSC Central Systems (and their data) and EMR remain unaffected and are continuing to work as normal,” it added.
The National Grid Electricity Systems operator also said on Twitter that “we’re aware of a cyberattack on ELEXON’s internal IT systems. We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats.”
Hackers may have targeted an outdated VPN server used by Elexon
According to Joseph Carson, chief security scientist at Thycotic, Elexon had reportedly been running an outdated VPN server which has been an emerging threat for any company that have failed to patch and update known vulnerabilities even security software. This, coupled with the mix between new technology and old technologies, leaves critical infrastructure that have legacy hardware and software unpatched with poor security practices, exposed to serious cyberattacks.
"In many incidents poor cybersecurity best practices have been sacrificed such as unpatched software, default credentials, poor privileged access security and no multifactor authentication leaves energy sector open to cyberattacks. Luckily for this particular incident, the attack only impacted the IT operations and not the critical services they provide," he added.
Commenting on the cyber attack on Elexon, Ian Heritage, Cloud Security Architect at Trend Micro told Teiss that “supply chain dependency means it is critical to protect both big and smaller players when delivering Critical National Infrastructure (CNI) – the supply chain is only as robust as its weakest link.
“The bad news is that many companies frequently are part of the supply chain that feeds resources to deliver CNI; thus, a cyberattack against one part of this chain can indirectly affect the supply of services. Ensuring suppliers have in place adequate security processes, including employee training and awareness programmes, data handling and more is a must,” he added.
This isn't the first time that an operator of critical infrastructure has been targeted by hackers. In 2017, researchers at ESET and Dragos Inc discovered a potent malware that led to the Ukrainian power crisis in December 2016 and warned that similar malware could be used to attack other critical infrastructure in Europe and the United States in the future.
Last year, the US Senate passed a law that allowed operators of critical infrastructure firms such as power grids to replace digital software systems and automated systems with low-tech manual procedures to prevent cyber adversaries from mounting cyber attacks on such industries.
The idea behind the new legislation was to replace digital and automated systems at power grids to isolate the energy grid from cyber attacks. The aim is to use more analog devices and manual procedures to operate power grids as adversaries will then require physical access to internal systems to cause sabotage.
“In both 2015 and 2016 an unthinkable event happened twice, when determined hackers took down the power grid in part of Ukraine. This second compromise in Europe’s power industry in as many months demonstrates that IT systems continue to remain as susceptible as ever, and underscores the importance of protecting and monitoring the inner sanctum of industrial control systems that keep the lights on,” said Grant Geyer, chief product officer of Claroty.