Monday, October 23, 2017


Last week I attended and spoke at the North American Electric Reliability Corporation (NERC) GRIDSECCON – electric grid security conference in St. Paul, Minnesota.  The meeting was very well attended with around 500 attendees from around the US, Canada, and even Japan.  My compliments to the organizers!  It was a terrific meeting and worth everyone’s time.

I’d like to raise three key points that surfaced during the meeting and go into more detail on one of them.

  1. There were several presentations regarding the risks to critical infrastructure by commercially available drones.  This was a bit of a surprise to many attendees since the drone threat has not really be recognized as one.
  2.   A major threat to electric utilities is the challenges of INSIDER THREAT.  This is an issue that makes one wonder “why would anyone want to attack my company from the inside?”  Well, the NERC Electricity-Information Sharing and Analysis Center (E-ISAC) team mentioned this risk repeatedly.  So, take some time to be sure you are paying attention to the inside of your company for both physical and cyber-attacks and disruptions.
  3.   The third threat of mention is of the “bad guys” trying to harvest credentials that can be used against the company.  This is where I’d like to spend a few extra lines of text.

Right now, the current and potential attackers are trying to harvest and collect credentials used for cyber access into a utility/energy company.  These credentials can make the attacker’s life much easier and using ill-gotten credentials has been demonstrated in such notorious attacks as in the Ukraine. 

The attackers try to harvest credentials via the “normal” means such as using PHISHING attacks on email.  But the attackers are also surveying and monitoring social media for a user’s credentials and password access answers. 

For example, if I know a person works at Utility X, then I can monitor their social networking – including non-work-related posts – for such things as the names of their kids, pets, mother’s maiden name, etc.  All good information to use when you are trying to reset a password.  Also, by monitoring their social networking I may be able to glean information about upcoming utility operations such as a planned outage that keeps Dad or Mom away from their kid’s soccer game. 

Useful information for the attacker.

One particular issue that is really disconcerting is how individuals use the same username and password for their social networks and personal email as they use for work.  THIS IS REALLY DANGEROUS AND SHOULD NOT BE DONE!  If I can hack into your social network and determine your username and password, that allows me to “pivot” to the utility username and log in and enter the utility network.

Such a practice should not be condoned by any organization and, in fact, should be an Employee Awareness posting at least every six months.


NERC GRIDSECCON was a useful meeting and I look forward to next year’s event – somewhere in the Western Electric Coordinating Council (WECC) territory.  This meeting raised some very key points of concern and as you’ve seen above the utility and critical infrastructure management needs to pay attention to Drones, the Insider Threat, and Credential Harvesting.

Thanks for reading!