The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Business Email Compromise Awareness in the Power Industry

image credit: © Melpomenem | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

Business Email Compromise, or BEC, is the fastest growing segment of cybercriminal activity. While the attack vector is new, COVID-19 has brought about an increase of over 350%. Hackers are trying to take over email accounts and use the information in them to trick people into installing viruses that allow for a cybercriminal to take over a computer. The power industry is vulnerable like any other, but the stakes are higher because of the SCADA environments that these computers control. It is up to you to keep abreast of these threats so that your infrastructure stays under your control. 

1) Emails and SCADA systems don’t mix.

If you have a computer that has access to your SCADA environment, that computer should NEVER be used to read/write emails or surf the web. The Internet is too dangerous for systems that control power equipment to be attached to.

2) Segment your computer network.

To go one step further, I strongly recommend that all SCADA computers be put onto a unique computer network (often called a vLAN). This vLAN should be set up so that Internet and email access is not allowed. I recommend three (and only three) holes exist between your SCADA network and the rest of your internal network: one hole to allow for operating system and application patches to be pushed to SCADA computers, one hole for antivirus updates to be applied, and one hole for offline backups of your SCADA applications/configurations to take place. Again, no Internet access should be allowed.

3) Phishing emails lead to BEC. Do not fall for them. 

Here are some things to look for in a phishing email: 

• The email asks you to confirm personal information. 

• The email address does not look legitimate. 

• It may use poor grammar. 

• The email comes to you, even though you did not initiate contact. 

• The email may contain an attached file that you were not expecting. 

• The email has a sense of urgency or secrecy. 

• The email asks you to change wire transfer instructions to a different account. 

If you are ever in doubt if an email is legitimate, call the sender on the phone using a number for them that you got from their website or an old email (not the email they just sent you) and ask them if they sent the email in question. Picking up the telephone is one of the best ways to shut down BEC scams.

4) Do not use local admin credentials.

If a computer is infected with a virus, that virus often inherits the access level of the user of the computer. If that user is a local administrator to their own computer, the virus becomes an administrator as well. This means that the virus can install new programs, read all files, and steal any data that it chooses. This is bad. Your users should have the minimum permissions required to perform their daily job functions. Giving end-users local administrative privileges opens up doors to cybercriminals that can make attacks go from bad to worse.

5) Prohibit USB drives.

USB devices are inherently insecure. The problem lies in the USB protocol itself – simply put, a USB device can run malicious applications on a PC and there is nothing that the user can do about it. The only effective defense is to use an endpoint protection program that shuts off the ability for USB drives to act as data storage devices. This is strongly recommended for all computers in the energy production / transmission industry.

One of the best things you can do to protect yourself and your company from falling victim to a cyberattack, including BEC scams, is to be proactive. Train your employees to be aware of phishing emails and to take proper steps when anything looks out of place. Train your employees to assume malicious intent of the emails they receive and the websites they visit.

Bryce Austin's picture

Thank Bryce for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 29, 2020 9:21 pm GMT

Phishing emails lead to BEC. Do not fall for them. 

It isn't terribly surprising that one of the most vulnerable areas of a robust cybersecurity system is the humans behind the computers, namely through phishing. At this point, it seems like there is widespread awareness of what phishing is, and many utilities will even include reminders and training on a frequent basis, but it seems too easy for people to forget or not have phishing at the forefront of their mind if it's been a number of months since the last training. What are some key strategies utilities can implement (whether technology or training or otherwise) to make sure employees aren't letting their guard down?

Thiruven Madhavan's picture
Thiruven Madhavan on Apr 30, 2020 6:14 pm GMT

1. Time has come for continous vulnerability assessments and there are tools to available.

2. Migration to cloud platforms like Office365/G-Suites have come with challenges especially in areas of security and backups.  One need to address these challenges.  Case in point is Uniper (Germany).

3. There is growing explosion of zero-day malwares variants that are missed by signature based security solutions including Office365 ATP.  There are solution and please connect if you are interested in conducting POCs. 

      

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »