Business Email Compromise Awareness in the Power Industry

1) Emails and SCADA systems don’t mix.

If you have a computer that has access to your SCADA environment, that computer should NEVER be used to read/write emails or surf the web. The Internet is too dangerous for systems that control power equipment to be attached to.

2) Segment your computer network.

To go one step further, I strongly recommend that all SCADA computers be put onto a unique computer network (often called a vLAN). This vLAN should be set up so that Internet and email access is not allowed. I recommend three (and only three) holes exist between your SCADA network and the rest of your internal network: one hole to allow for operating system and application patches to be pushed to SCADA computers, one hole for antivirus updates to be applied, and one hole for offline backups of your SCADA applications/configurations to take place. Again, no Internet access should be allowed.

3) Phishing emails lead to BEC. Do not fall for them. 

Here are some things to look for in a phishing email: 

• The email asks you to confirm personal information. 

• The email address does not look legitimate. 

• It may use poor grammar. 

• The email comes to you, even though you did not initiate contact. 

• The email may contain an attached file that you were not expecting. 

• The email has a sense of urgency or secrecy. 

• The email asks you to change wire transfer instructions to a different account. 

If you are ever in doubt if an email is legitimate, call the sender on the phone using a number for them that you got from their website or an old email (not the email they just sent you) and ask them if they sent the email in question. Picking up the telephone is one of the best ways to shut down BEC scams.

4) Do not use local admin credentials.

If a computer is infected with a virus, that virus often inherits the access level of the user of the computer. If that user is a local administrator to their own computer, the virus becomes an administrator as well. This means that the virus can install new programs, read all files, and steal any data that it chooses. This is bad. Your users should have the minimum permissions required to perform their daily job functions. Giving end-users local administrative privileges opens up doors to cybercriminals that can make attacks go from bad to worse.

5) Prohibit USB drives.

USB devices are inherently insecure. The problem lies in the USB protocol itself – simply put, a USB device can run malicious applications on a PC and there is nothing that the user can do about it. The only effective defense is to use an endpoint protection program that shuts off the ability for USB drives to act as data storage devices. This is strongly recommended for all computers in the energy production / transmission industry.

One of the best things you can do to protect yourself and your company from falling victim to a cyberattack, including BEC scams, is to be proactive. Train your employees to be aware of phishing emails and to take proper steps when anything looks out of place. Train your employees to assume malicious intent of the emails they receive and the websites they visit.