The recent targeted attack on two power substations in North Carolina knocked out power to more that 45,000 Moore County residents for nearly a week, at a time when Christmas lights were going up and, more importantly, temperatures were going down.
There are more than 55,000 electrical substations in the United States, and, unfortunately, the Moore County attack is not the only such attack in recent days across the country. Instead, the attack on critical infrastructure that darkened the Southern Pines area of North Carolina, is just the latest in a series of similar attacks stretching from Oregon to Florida. More ominously, it’s a threat that many experts believe is only getting bigger.
According to the Seattle Times, there were six attacks on electricity substations in Washington and Oregon in November. Meanwhile, a report filed with the U.S. Department of Energy and obtained by News Nation on December 7 – just days after the North Carolina shootings – found “at least half a dozen substation intrusion events” in Florida during the month of September. The six incidents occurred in four different substations in and around the Tampa and Orlando areas. According to News Nation, the Federal government and law enforcement officials are actively investigating each of the intrusions. Meanwhile, Fox News reported recently that law enforcement agencies, including the FBI, are investigating reports of shots fired near a power station in Kershaw County, South Carolina. The December incident did not cause any power outages or property damage.
It’s not entirely a recent phenomenon. In 2013, for example, multiple gunmen opened fire on the Pacific Gas and Electric Company’s Metcalf Transmission Substation near San Jose, CA. That attack, which remains unsolved today, caused more than $15 million in damage to 17 transformers. According to a recent report by Homeland Security Today, the “Metcalf Attack” is “commonly referenced on social media by domestic extremists … as an example of how to inflict damage on electricity infrastructure with the goal of hastening governmental and societal collapse.”
For years, experts have warned of the growing threat to the nation’s critical infrastructure. The recent string of attacks appears to have ramped up that threat in very real, tangible, and dangerous ways. According to Homeland Security Today, a 14-page “Accelerationist Guide” floating around the dark edges of the Internet calls for “Metcalf-Style Attacks on ‘Sitting Duck’ Electricity Infrastructure.” Extremists are reportedly sharing the guide on Telegram channels. The guide, according to the report, calls for shooters to bypass softer targets in favor of causing chaotic blackouts like the California and North Carolina incidents. In the guide, these extremists claim that with an extended blackout "all hell will break lose [sic] and white supremacists would be poised to take control.” To this end, the U.S. Department of Justice received guilty pleas from three men in February 2002 who admitted to plotting to shoot substations or power grids with powerful rifles “in furtherance of white supremacist ideology.”
Fortalice is advising our clients, especially those in the Energy industry, to fortify their organization’s virtual and physical barriers in the wake of these attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Energy have outlined strategies to protect yourself, your organization, and the Nation’s electric grid from attacks, including:
• Formalizing Collaboration across Organizational Security Functions: Implement an integrated approach to security that aligns cybersecurity and physical security teams with grid operators. Cross train security personnel to enable a holistic understanding of cyber-physical threats and their impacts to grid operations and consider implementing an Insider Threat Mitigation Program. This collaboration can ensure personnel have the knowledge and tools to rapidly identify and respond to an incident with cross-sector impacts. See CISA’s Cybersecurity and Physical Security Convergence Guide, which provides a framework for establishing formal collaboration between cybersecurity and physical security teams.
1. Monitor Social Media Chatter as well as Deep Dark Web Threats. Our Open-Source Intelligence (OSINT) team can be an essential partner to your organization security teams. Our agile, world-class Fortalice OSINT team acts preemptively to the cyber threats our clients face in the digital space. We attack the attack before it happens. We solve the challenge of data and alert overload through our unique delivery of human-curated threat intelligence, investigation, and analysis.
2. Review your incident response plans (IRPs). Fortalice can review existing policies and procedures to identify gaps or assist clients in developing industry best practice cybersecurity documentation.
3. Identify weaknesses in your security environment. Our team can conduct specialized security and resilience assessments for your organization. Through the perspective of an attacker, our Offensive Cyber Operations team can mimic sophisticated cyber and physical threats to test systems and produce action steps so your organization can stay ahead of the bad guys. We will help you better understand and manage the risk to your critical infrastructure by examining infrastructure vulnerabilities, interdependencies, capability gaps, and the consequences of disruption.
4. Take proactive action to protect against threats and attacks. Our industry-certified engineers can assist your organization in implementing and optimizing defensive security tools to protect assets from adversaries.
We value you as customers, and we understand incidents and threats like these can be very unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over your adversaries and our nation’s adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.
Sector Spotlight: Cyber-Physical Security Consideration for the Electricity Sub-Sector: https://www.cisa.gov/sites/default/files/publications/Sector%20Spotlight%20Cyber-Physical%20Security%20Considerations%20Electricity%20Sub-Sector%20508%20compliant.pdf (CISA and the U.S. Department of Energy)
Cybersecurity and Physical Security Convergence: https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20and%20Physical%20Security%20Convergence_508_01.05.2021_0.pdf (CISA)
Industrial Control Systems – Recommended Best Practices: https://www.cisa.gov/uscert/ics/Recommended-Practices (CISA)
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.