Ransomware is a growing threat for utilities, as most recently evidenced by the May attack on Colonial Pipeline, and cybersecurity has been cited as a top ESG concern, according to the RBC Global Asset Management Responsible Investment Survey.
Whether or not to pay large sums of money to attackers is hotly debated. In Colonial’s case, the company ultimately made the decision to pay about $5 million in ransom - out of concern for prolonged pipeline outage resulting in energy shortages - though federal investigators were able to recover more than half of that. Colonial worked closely with government agencies, law enforcement officials, and several consultants, including Dragos, Mandiant Threat Intelligence and Black Hills Information Security, to determine its strategy to address the attack.
Irrespective of the payment decision - each situation is unique - there are clear lessons to be learned from ransomware attacks. Accordingly, the Edison Electric Institute (EEI), which represents U.S. investor-owned electric utilities, has worked with the Electricity Subsector Coordinating Council (ESCC) to develop guidance, including issues to consider before making a payment.
The ESCC recommended preparedness measures are consistent with the NIST Cybersecurity Framework Core, which is separated into five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover.
Additionally, the ESCC guidance suggests the following before making a ransom payment: