"ACTION REQUIRED — Vacation and Backup Schedule."
That pushy subject line tops an email delivered to thousands of energy workers across 26 states earlier this week. The sender urged employees at utility holding company Avangrid Inc. and its subsidiaries to log into a "secure online calendar" for testing a new scheduling tool.
To discerning users, the message is rife with red flags — typos, suspicious URLs, a skewed company logo.
But at least a few employees never fail to take the bait.
"We are getting more mature, but I have to admit I’m constantly surprised by how quickly people are clicking links," said Keri Glitch, vice president of corporate security at Avangrid, the parent company of New York State Electric and Gas Corp., Central Maine Power Co., and several other U.S. energy providers.
She would know: Her team, not hackers, actually sent the suspicious email. Normally, a reckless mouse click marks the beginning of a successful cyberattack. But in this case, Avangrid employees are directed to a harmless cybersecurity training page via the "PhishMe" platform.
Fake phishing campaigns like those at Avangrid are one way energy utilities have responded to the growing and ever-changing online threat to their systems. Carefully crafted malicious emails are thought to have granted Russian hackers access to Ukrainian power distribution networks in a first-of-its-kind cyberattack last year (EnergyWire, July 18). Cybersecurity companies say phishing is also the most common method for spreading "ransomware," a ruthless type of computer virus that locks up files on victims’ computers and demands hundreds or even thousands of dollars for the key.
Dan Hucko, the main architect of Avangrid’s PhishMe campaigns, said a new round of emails goes out every month and costs around 60 cents per message to produce.
"We try to make [the emails] as realistic as possible," he said, noting that a previous scenario was "almost an exact duplicate of an email out in the wild that’s been spreading the ‘Locky’ ransomware."
The FBI has called ransomware "a growing threat to businesses and individuals alike." In the first six months of 2016, the agency fielded 1,308 victim complaints related to ransomware accounting for more than $2.5 million in losses. At least two energy utilities have been hit by ransomware in recent months, including the Lansing Board of Water and Light in Michigan.
Avangrid, a subsidiary of the Spain-based energy giant Iberdrola, hopes its awareness efforts will make employees and executives more skeptical of emails, attachments and unfamiliar websites.
"Ransomware appears to be financially driven, and from a critical infrastructure perspective, that may be an attractive target," Glitch said. "We have the technology, and we have layers of defense, but it does come down to an individual user clicking on something. It’s those small instances that give us pause."
