SolarWinds and Utilities

Reuters Events – Energy Transition North America 2022 – #ETNA2022 – Register Now – Houston, Texas; November 9–10

We’ve all heard about the cybersecurity hack that came through SolarWinds software. The hack, it was widely reported, introduced risks into many government and private-sector systems.

But I wanted to know whether and how utility systems were affected. So I went to a leading expert.  

Here’s what Ben Miller has to say, specifically on the hack by the malicious program SUNBURST on utilities’ installation of SolarWinds Orion. Ben’s the VP for professional services and R&D at Dragos. Before that he was associate director at the Electricity Information Sharing and Analysis Center, the Electricity ISAC for short.

Ben starts out this way: “With an estimated impact on 18,000 customers, it is probable that some of the nearly 2,000 NERC CIP regulated power utilities in North America have been impacted — if not directly, then indirectly via their supply chain…”

Reuters Events – Energy Transition North America 2022 – #ETNA2022 – Register Now – Houston, Texas; November 9–10

There sure are a lot of acronyms in the cybersecurity world. Most of you know NERC is the North American Electric Reliability Corporation. But a number of you all might not know that NERC created Critical Infrastructure Protection standards in 2008, hence also creating the acronym CIP. Which, importantly, is pronounced like how you drink through a straw.

Ben continued: “A prudent first step in managing the ‘blast radius’ of SUNBURST would involve each utility asking their vendors if they utilize SolarWinds Orion, especially if the vendor has access to Bulk Electric System Cyber Systems or Bulk Electric System Cyber System Information. For the vendors that do, each utility should coordinate a response to limit or remove access, where reliable operations would not be impacted, and voluntarily perform a threat hunt where access cannot be revoked for reliability reasons.”

Seems like Ben is saying, in my own simplistic words, if you have SolarWinds Orion connected to something important, get it out of there, if you can. If you cannot, thoroughly search for risky vulnerabilities.

If you want to see more of what Ben advises, and you’re able to wade through the technical terms better than me, check out his blog post, “Responding to the SolarWinds Software Compromise in Industrial Environments," at the website.