The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


You need to be a member of Energy Central to access some features and content. Please or register to continue.


Malware Threats for Utilities

image credit:

When hackers knocked out the power in parts of Ukraine two winters in a row, the world gasped, and the US energy industry was put on notice. 

Malware was behind the damage, the first case in history where malicious code was used by a foreign power to trigger a physical disruption in the power supply of a sovereign nation. 

But while these attacks remain a real and growing threat, America’s utilities are far more at risk of other types of malware, which may not be designed to trip circuit breakers or de-energize power lines, but can cause significant damage in other ways. 

It’s safe to say that electric utilities are one of the top targets for state-sponsored hackers. These hackers are rarely interested in cutting off power, but are more interested in probing these networks and laying the groundwork for such potential attacks in the future, as a possible deterrent or retaliation to war. In the meantime, cybercriminal organizations may compromise the front-office networks of utility operators, either by design or accident. And as the professionalization of the hacking community continues and the Dark Web evolves as a robust marketplace for the sale of sophisticated hacking tools, other utility threat actors could arise too — such as terrorists and hacktivists. 

What this means is that the cyber threat forecast for US electric utilities is constantly expanding, and could hit a critical mass in the event of a geopolitical crisis.

However, to better understand these threats, it is important to look at the underlying technology which drives them — malware.

Just as military weapons have a wide variance, from side arms to nuclear missiles, so too is there a large spectrum in digital weaponry as well. Malware is an extremely broad category, which includes everything from rudimentary viruses to highly sophisticated, multi-stage nation-grade malware with physically destructive capabilities. 

Based on real-world incident reports, the evolution of malware and the known goals of threat actors, the US utility sector is most at risk of five types of attacks: backdoors, data theft, encryption, data loss/manipulation and financial fraud.

Let’s take a closer look at these attacks.

Backdoors - 

Nation-states are actively trying to establish beachheads in US utility networks in order to gain persistent access to these facilities, map out their networks and lay the groundwork for possible future attacks — if a geopolitical crisis were to necessitate such a need. 

To do this, the attacker needs to compromise the targeted system(s) and modify them so that they have persistent access while the utility updates the systems and tries to detect and remove any potential malware. 

Typically, the attacker will attempt to install some form of “rootkit” on the system, in order to give them privileged remote access to the network. A rootkit is installed below the operating system (OS), which makes it significantly harder to detect. This allows it to hide from both the OS itself and any anti-malware software that is running at the OS level. In some cases, the attacker may compromise hardware, such as disk drives or graphics controllers, so that their malware can persistently hide within the firmware of these devices. 

When such malware is detected, the utility will typically need to replace the compromised hardware altogether, as there is no technique that provides assurance of reliable removal of the malware.  

Data theft - 

Attackers are also actively trying to steal data, for numerous reasons. This could be part of a state-backed operation to gather intel on the facility’s IT and OT operations and networking, or it could be a criminal group simply targeting customer payment information. 

This is where robust network monitoring (particularly for anomalous behavior like foreign or rogue IPs, large data uploads, changes in approved user activity, etc.), front-office network segmentation, ICS air-gapping and user access controls all become important to properly execute. 

Encryption - 

Ransomware is an ongoing threat for every industry, but it’s particularly risky for utilities. 

To date, most of these attacks have been carried out by opportunistic and low-level criminal rings, who were only after the extortion money, but as we saw with WannaCry, more sophisticated hackers may also turn to this method of attack for its destructive and disruptive potential. 

Keep in mind that this type of attack can target stored files, data records and the hardware itself. For instance, the malware could encrypt the master boot record of the computer in order to render it unusable.

In any case, utilities need to be aware of the potential for damage and take appropriate countermeasures, including frequent full and incremental backups of all critical data with the data locked to prevent overwriting by attackers who may have compromised the systems.

Data loss or manipulation - 

Similarly, hackers may also attempt to erase or modify key data stored by the utility in order to disrupt operations. These attacks often rely on “wiper” malware to carry this out. As the name implies, wipers will wipe out — i.e., erase — stored files and records, and they can also target the master boot record of computers in order to brick them.

The oil industry has seen numerous attacks of this kind in the Middle East over the past few years. One example is the Shamoon malware, which destroyed thousands of computers at Saudi Aramco. NotPetya is another wiper-styled malware that has been used in attacks on businesses around the world. 

It is highly likely that we will eventually see these attacks migrate to the utility sector as well. The countermeasures are the same as with ransomware. 

Financial fraud - 

Lastly, utilities should expect to see ongoing attacks by criminal groups that are trying to defraud them. 

“Spearphishing” attacks are used by all levels of attackers, and in the case of high-level attackers, these are often very carefully personalized to target specific individuals with what appears to be normal business activities. Spearphishing is the delivery method for slipping in any number of dangerous types of malware, ranging from information stealers to ransomware and wipers, and worse.

While employee training can reduce the likelihood of staff being compromised by spearphishing attacks, high-level targeted spearphishing is all but certain to compromise enough staff members that the utility needs to plan on operating in the face of compromised privileged user accounts.


Malware poses a difficult challenge for utilities, because all it takes is one successful attack and the entire operation can be exposed.

To cope with this challenge, it is imperative for utilities to implement a layered defense strategy, which is not only focused on prevention, but also — and equally — focused on post-breach containment. 

Preventive defenses include all of the standard approaches: anti-malware software, IDS/IPS systems, intensive network monitoring and two-factor authentication. In addition, however, utilities should consider zero-trust approaches, the use of hardened environments that use trusted boot combined with restrictions to run only signed code, and the use of dedicated workstations for administrative and privileged functionality.

Dr. John Michener's picture

Thank Dr. John for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.


Matt Chester's picture
Matt Chester on May 30, 2019 10:38 pm GMT

Those in charge in utilities and implementing cybersecurity have of course not forgotten these attacks or the threats they present, but I find it pretty surprising how not on the radar working out these issues seems to be to political leaders. You would think this is the type of homeland security issue that would get easy bipartisan support given how damaging a foreign exploitation of our grid system would be, but I feel like I haven't heard much of a peep about this in terms of actionable suggestions from Washington in some months

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »