Hackers have reportedly stolen two decades’ worth of files from a U.S. energy equipment vendor that counts Missouri’s largest utility, Ameren Corp., among its customers.
The files spanned from 1996 to 2017 and included diagrams from two Ameren power plants, the 2,400-megawatt Labadie coal plant and the 1,000-MW Sioux Energy Center, according to St. Louis Public Radio, which first reported the incident. The documents were taken from third-party supplier LTI Power Systems and stemmed from a "ransomware" attack on LTI.
After an investigation, Ameren determined the breach doesn’t include "any customer, confidential or critical operations data," a company spokesperson told E&E News.
LTI Power Systems manufactures uninterruptible power supplies for utilities and oil and gas pipeline companies, among other customers, "in nearly every country in the world," according to the Ohio-based company’s website. LTI did not respond to requests for comment yesterday.
It’s common for third-party vendors to have access to valuable utility information, making them a prime target for hackers, say cybersecurity experts.
"Often — not always — [third-party suppliers] are easier to get in through, because they’re either not beholden to the security standards of [utilities] themselves, or they get special access," said Nathan Brubaker, vice president of threat analysis at cybersecurity firm FireEye Inc.
The prevalence of supply chain cyberattacks has alarmed federal agencies and cybersecurity experts, including the Federal Energy Regulatory Commission, which called it one of the top five cybersecurity priorities last November.
A Russia-linked hacking group known as Dragonfly 2.0 launched a campaign against multiple energy companies in 2018 through third-party suppliers with insecure networks.
The material stolen from LTI included schematics of uninterruptible power supply (UPS) equipment that provides backup electricity sources to parts of the Sioux and Labadie coal plants. The Labadie facility, located in Franklin County, Mo., is the largest power plant in the state.
UPS equipment has been hacked in the past. In 2015, a Russian cyberattack on three Ukraine power companies disabled UPS devices as part of a wider attack that took down power for around 250,000 people.
Ameren said that the files in this case "do not contain any information that would put Ameren assets or customer data at risk to external threats." The utility has around 1.2 million customers.
"As part of our procurement process, standard schematics or drawings may be shared with suppliers to support procurement of materials," Ameren said.
Without more information, it’s difficult to know what exactly the hackers were planning to do with the stolen data, Brubaker said. He said it is "not uncommon" for members of his team to find sensitive information online "that you could use to do some really bad stuff."