Lessons Learned From a Ransomware Attack

After a malware breach, a utility company paid the ransom. That was just the start of its troubles...

Utility Ransomware

On April 25, 2016, the Board of Water & Light (or BWL), based out of Lansing, Mich., discovered that its internal network had been compromised. The foreign hackers behind the attack, triggered by an employee opening a viral attachment, demanded that the utility company pay $25,000 to unlock its email and accounting systems. Like the vast majority of companies hit by ransomware, BWL begrudgingly acquiesced.

“Paying the ransom was distasteful and disgusting, but sadly necessary,” BWL’s general manager Dick Peffley said during a board meeting. It was, he continued, “the only action we could take to unlock our system and free it from the ransomware.” Despite delivering Bitcoin two days after the event, it still took 11 days for systems to become operational again.

The recent WannaCry incident reminds us that all companies—big, medium, and small—must anticipate this type of attack. At a minimum, security operations must train employees to spot malware. And IT teams should vigilantly back-up files to minimize work disruption and, in some cases, avoid even paying ransom.

But it also reminds us that an overwhelming number of security systems continue to lack the ability to see malware. Part of the reason why typical security, such as a SIEM system, fails enterprises is because it dispatches more false positives than any human can chase. So it’s puzzling that, for companies, finding machine learning-driven security analytics still doesn’t seem to be a priority. These platforms come with the speed and visibility companies desperately need, and can integrate with existing threat-detection investments.

Blind spots are particularly troubling when it comes to utilities companies. As they adapt to smart grids and other technology, the convenience and growth in connectivity exposes critical infrastructure to inside and outside threats. This includes heightened risk of contractor negligence and, yes, malware. Reports the Idaho National Library, in a study for the U.S. Department of Energy: “The 2015 Global State of Information Security Survey reported that power companies and utilities around the world expressed a sixfold increase in the number of detected cyber incidents over the previous year.”

Seven months after the breach, BWL leadership vowed to tighten its security profile and train its 700 employees in best practices. But that was too little, too late.

BWL had to hire a forensics team to trace the compromise. They also had to install security upgrades and employ IT workers to ensure employee computers and servers were virus-free. All told, this cost them an extra $2.4 million. (The utility company filed a $1.9 million insurance claim, which is still under review at AIG.)

Then there was the unquantifiable: a PR debacle. In the time since the hack, 13 IT workers and one emergency-management director at BWL resigned. Some even went so far as to warn the public about BWL’s weak security. In an unfortunate maneuver, its CIO sent a memo to the county, stressing that they “must control what information is allowed out into the public during a crisis.” BWL didn’t initially disclose the breach, because it affected neither customer information nor electrical and water service.

Reputational risk notwithstanding, BWL actually got lucky: The attack did not impact its critical infrastructure. But, warns the U.S. Department of Energy’s report, “The likelihood for cyber attacks against utilities is increasing in frequency and severity.”