Utilities’ vulnerability to application exploits goes from bad to worse in just weeks.  

The amount of time that utility networks spend exposed to a known application exploit has spiked over the past two months — something analysts called out as a “concerning datapoint,” and an important reminder that ransomware isn’t the only threat utility networks need to secure against.

A new report from WhiteHat Security measured the amount of time a sector remained vulnerable to a known application exploit out in the wild, a metric they call an industry’s window of exposure (WoE). They found the WoE for the utility sector climbed from 55 percent two months ago to 67 percent last month.

“Application specific attacks are equally prevalent, if not more likely, than ransomware (Colonial Pipeline is fresh in our minds),” the report explained. “Application weakness is an easy backdoor for the installation of ransomware, especially given the high-impact nature of the ransomware in utilities.”

, Utilities ‘Concerningly’ at Risk from Active Exploits, The Cyber Post

And, ransomware attacks on utilities certainly persist at critical threats. In February, Eletrobras, the largest power company in Latin America, along with  electric provider Companhia Paranaense de Energia (Copel), was forced to suspend operations following a ransomware attack.

Why Utility Networks’ Vulnerability Exposure is Spiking

The spike is attributable to several factors, Setu Kulkarni, vice president of strategy at WhiteHat, told Threatpost. The first is a shift of clunky legacy systems into internet-facing applications.

“Utilities companies have had to, in short order, ensure that they are available for business online,” Kulkarni said. “They have legacy systems which were well-suited for agent-operations,” meaning that they were designed to be operated by trusted, company customer service agents rather than enabling self-service.

“These legacy systems have had to be rapidly switched to customer self-service mode, and while the user experience may have been updated, the core transactional systems are still unchanged,” Kulkarni added. In essence, the legacy systems were never meant to be internet-facing and now they are.”

Compounding utilities’ exposure is the increasing practice of linking operational technology (OT) and internet-of-things (IoT) systems to backend operations, according to Kulkarni.

“These OT/IoT systems are connected to backend systems, most of which are legacy transactional systems,” Kulkarni said. “OT/IoT systems themselves are not well-secured and at the same time the legacy transactional systems were not designed to meet the scale and security needs of this hyper-proliferation of OT/IoT devices.”

And finally, in the wake of so many high-profile nation-state attacks, including the attack on Colonial Pipeline, companies are increasing their scrutiny of their current security posture and finding more bugs as a result.

“The industry as a whole is testing more and finding more,” Kulkarni added.

Indeed, in April the Biden White House announced a 100-day race to improve cybersecurity across utility companies in the U.S. by providing incentives for installing tracking software to spot hackers and report the findings to the federal governments.

Utilities Face Formidable Attackers

Threat groups sophisticated and brazen enough to hit a utility are typically affiliated with nation-state activity, meaning these attackers tend to be highly-skilled and well-funded, making them dangerous adversaries.

“Attacks targeting critical national infrastructure (CNI) tend to be the work of advanced persistent threat (APT) groups working on behalf of nation-states with specific goals,” Joseph Carson, CISO with ThycoticCentrify, told Threatpost. “These high-level adversaries are hard to defend against, as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will opt for soft targets.”

Utilities, in tandem, are significantly outpaced by these malicious actors.

“In addition to facing particularly obstinate attackers, most areas of CNI must also struggle with complex network infrastructure that is problematic to secure,” Carson added.

Janky legacy system integration aside, utilities also struggle to find a way to invest in the security necessary to protect vital public services.

“Utility companies are regularly target-rich but cyber-poor,” Sounyil Yu, Jupiter’s CISO, explained to Threatpost. “Historically, they have not devoted adequate resources to preserve a basic level of security hygiene. While this condition may be a result of choice for some, the reality is that good security can get quite expensive.”

Yu argues that access to high-quality cybersecurity needs to be available equitably to every organization.

“In our increasingly connected digital world, having access to good, affordable cybersecurity should be as important as having access to clean water,” Yu said.

Until that cybersecurity equity dream becomes a reality, Kulkarni advised that utilities should take stock of all digital assets, prioritize them and start testing based on risk.

“Put in place a mitigation plan that enables rapid triage and mitigation. Once the threat is mitigated, there is ample opportunity to find the root cause and systematically fix the issue,” Kulkarni explained, adding that the final step is to “develop a security program that takes into account the ‘two-speed’ need for securing legacy systems and modern greenfield systems.”

 Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.