The UK’s electrical grid has emerged unscathed following a potentially disruptive cyber attack on the systems of Elexon, a key cog in the electricity trading system, which left employees without access to their PCs or email on the afternoon of 14 May 2020.
Elexon is largely unknown by the general public but it plays an essential role in the UK’s electricity sector. Because electricity cannot be stored and must be used in real time, its generation and use must match up, therefore the UK runs an industry-wide trading system and a method of settlement.
Under this system, each supplier calculates ahead of time in half hour blocks what their customers need so that they can buy that amount of electricity from generators. During each half hour block, the generator must meet the contracted amount and the customers should use that amount, although this does not always happen.
Elexon’s role in this is to compare the amount of electricity generators say they will produce and how much suppliers say will be used, working out the price difference, and transferring funds between various parties. This is administered under the Balancing and Settlement Code (BSC) on behalf of the National Grid.
The attack first came to light just before midday on Thursday. In an advisory notice posted to its website, an Elexon spokesperson said the attack impacted the firm’s internal systems and laptops only, and that BSC Central Systems and EMR CfD [Electricity Market Reform Contracts for Difference] payments were not affected.
The cause of the incident was identified within four hours. “We have now identified the root cause and we are taking steps to restore our internal IT systems. BSC Central Systems (and their data) and EMR remain unaffected and are continuing to work as normal,” a spokesperson confirmed.
A National Grid spokesperson posted to Twitter, saying: “We’re aware of a cyber attack on Elexon’s internal IT systems. We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cyber security measures across our IT and operational infrastructure to protect against cyber threats.”
The incident has prompted speculation that Elexon has been guilty of failing to bother to patch a vulnerability, CVE-2019-11510, in its Pulse Secure VPN servers. Successfully exploited, this arbitrary file-reading vulnerability enables attackers to access private keys and passwords by sending a specially-crafted URL to their target. Researchers at Bad Packets uncovered thousands of vulnerable servers last year, some of them at utility sector organisations.
The same vulnerability was allegedly the one used at the end of December 2019 by the cyber criminal gang behind the dangerous ReVIL or Sodinokibi ransomware to successfully attack the systems of Travelex. Travelex had failed to apply proper updates to its systems, although there is no suggestion that the attack on Elexon is the work of the same group.
Organisations working in the supply of critical utilities are perhaps uniquely vulnerable to attack at the best of times, as cyber criminals know they are motivated to keep the lights on and the water flowing, and will factor that into their attacks. However, during the Covid-19 coronavirus pandemic, they present an even more critical target. An electrical black-out affecting a hospital or care home could have severe consequences, and attackers, particularly those backed by nation states, will be well aware of that.
Targeting critical organisations
Trevor Daughney, vice-president of product marketing at Exabeam, said it was clear nation states were targeting critical organisations during the pandemic – the US has gone so far as to accuse China of being behind them.
“We’ve recently seen a rise in geopolitical tensions, as the UK and US governments warn of nation-state attacks targeting critical Covid-19 research, vaccine data, medical facilities and even building companies behind hospital projects. We can’t know for sure at this time, but could this attack also be aimed at undermining public confidence in government during this pandemic?” he said.
“Critical infrastructure is particularly vulnerable because while IT must ensure that data is secure, it’s more important for OT to be up and running. These control networks and devices are generally legacy systems running on older operating systems and are also rather fragile. Even a vulnerability scan has been known to break a PLC or void a warranty – there is a delicate balance between system design and the often under-staffed team needed to protect it. And this is likely exacerbated by the current climate
“As this Elexon attack shows, critical national infrastructure, such as power networks, have always been an attractive target for hackers. And for those same hackers, the coronavirus pandemic is the gift that keeps on giving,” added Jérôme Robert, director at Alsid.
“Although there is still much we don’t know about this specific hack, with most employees working remotely, security professionals are faced with unprecedented new threats caused by the behaviour of staff and challenges around enabling remote access. In short, securing networks and data has never been more challenging.
“We have to hope this is not a ransomware event, although it would not be surprising given the current popularity of those types of attacks. If it is ransomware, Elexon could face a long and expensive road to recovery,” he said.