A cyberattack on a natural gas service provider late last month has spilled into the electricity sector, underscoring the growing threat hackers pose to critical energy systems.
The March 29 incident forced at least five major energy companies to cut off digital connections to Energy Services Group (ESG), based in Massachusetts, which offers billing, scheduling and document-sharing services to gas pipeline operators, oil companies and electric utilities.
The cyber intrusion has not disrupted the flow of natural gas or electricity. Still, energy and cybersecurity experts say the case offers a cautionary tale in today’s increasingly interconnected world.
Duke Energy Ohio, which sells electricity and natural gas in Ohio and Kentucky, severed some network connections to avoid encountering corrupted files, according to a source familiar with the situation. The cyberattack affected several third-party companies in Ohio, where customers could see late utility bills.
The types of systems reportedly hit the hardest in the attack — so-called electronic data interchanges (EDI) provided by ESG subsidiary Latitude Technologies — would offer fertile ground for hackers hoping to jump from corporate networks to core industrial control systems that could ultimately shut down an energy provider, noted Joe Slowik, adversary hunter at industrial cybersecurity firm Dragos Inc.
"If you’re strictly looking from a disruption standpoint, [EDI] seems to be a good place to be," he said. But he emphasized that "nothing at this time indicates that this is especially scary, that big, bad actors are trying to cripple natural gas distribution."
Instead, he suggested the attack could be an example of "ransomware," a type of malicious software that locks up victims’ computers and holds the key hostage.
Sources familiar with the response effort also pointed to ransomware as a likely culprit. The FBI, which routinely investigates ransomware incidents affecting critical infrastructure, declined to comment.
ESG spokeswoman Carla Roddy confirmed in an email Wednesday that the company had fallen prey to a cyberattack, though she didn’t specify the nature of the threat. Roddy said that the company has since contracted a "leading cyber forensics firm" to restore operations.
Last month, investigators at the Department of Homeland Security and FBI warned energy companies of a yearslong Russian hacking campaign that also targeted firms in the nuclear, aviation and critical manufacturing sectors, among others.
It was not clear whether the ESG incident is related to that alert. DHS spokesman Scott McConnell said his agency is aware of the case and is "gathering further information, as is standard practice whenever we become aware of a potential cyber intrusion affecting the critical infrastructure community."
Gas outages
DHS is the agency responsible for monitoring gas industry cybersecurity practices through the Transportation Security Administration.
An E&E News investigation last year uncovered potential vulnerabilities in the gas sector, with federal oversight through TSA stretched thin (Energywire, May 23, 2017).
This week, several ESG customers said they had to conduct scheduling and billing through backup methods throughout last weekend’s outages at ESG.
Energy Transfer Partners LP, the Dallas-based parent company of the firm developing the Dakota Access pipeline, said Monday that it was handling all scheduling "in house" until the attack had been resolved.
In a statement Tuesday, Tulsa, Okla.-based pipeline giant ONEOK Inc. said it had taken a "purely precautionary step" to quit using an unnamed third-party service provider.
"Affected customers have been advised to use one of the alternative methods of communications available to them for gas scheduling purposes," ONEOK said.
Jeff Tietbohl, vice president of Chesapeake Utilities Corp. subsidiary Eastern Shore Natural Gas Co., said in a statement that the pipeline operator used "alternate communications channels" for some of its business starting March 29.
"The ESNG physical pipeline system remained fully operational during this time with no operational issues," he said, noting that Latitude’s data interchange services had bounced back by Monday.
Molly Whitaker, a spokeswoman for Boardwalk Pipeline Partners LP, said three of the Houston-based company’s interstate gas pipelines had not been affected by the data interchange outage, noting that customers have been conducting business via a website until the third-party service is fully restored.
"An attack on a network certainly is inconvenient and can be costly, and something any company — whether a retailer, a bank, a media company or pipeline — wants to avoid, but there is no threat as such to public safety or to natural gas deliveries," said Cathy Landry, vice president of communications at the Interstate Natural Gas Association of America, which represents major pipeline operators. "It’s important to recognize that this does not appear to be an attack on an operational system (also known as a SCADA or control system)."
The main hubs for sharing threat information for the oil and gas sectors declined to comment specifically on the ESG attack or its potential consequences but still offered tips for responding to cyber events.
"In recent years, we’ve seen criminals and other adversaries increasingly turn to cyberattacks as a means to make money or inflict damage," noted David Zacher, executive director of the Oil and Natural Gas Information Sharing and Analysis Center. "We believe it’s important for oil and natural gas companies to come together to defend themselves through threat intelligence exchange, and we will continue to work to strengthen and grow the ONG-ISAC for the benefit of the industry."
The Downstream Natural Gas Information Sharing and Analysis Center, which specializes in getting the word out on threats to pipelines, "is always concerned when illegal and dangerous actions, cyber or physical, adversely affect any part of our national critical infrastructure, especially natural gas," spokesman Jake Rubin noted.
The DNG-ISAC is backed by the American Gas Association, an industry group that represents hundreds of gas utilities nationwide.
Yesterday, the group reminded its members that proper network security practices would stop hackers from realizing worst-case attacks.
The AGA pointed to one provision of the TSA’s pipeline security guidelines in particular — a recommendation to "segregate and protect" critical pipeline assets from the business networks involved in scheduling and billing.
"Our experience has shown that when these guidelines are adhered to, and business systems or vendor systems are compromised, then the gas still flows because the operational systems are separate," the AGA noted.
Dewan Chowdhury, founder and CEO of the cybersecurity company MalCrawler and a consultant to major gas and electric utilities, credited AGA for trying to get the word out about threats, noting that it has "been working with operators to help improve the overall cybersecurity postures."
But he said he has often encountered critical control networks misconfigured to allow communication with corporate computers outside.
"Incidents like these rattle the industry to come up with cybersecurity plans to secure their environment from the worst-case scenario," he said.