Elexon, an organisation that is central to the balancing and settlement of the UK electricity market has been hit by a cyber attack that has knocked out its internal emails, the second such worrying incident for Europe’s power market in eight weeks, as malware creeps closer to critical national infrastructure.
The incident, reported on Thursday afternoon, crippled its email server in an attack that bears the hallmark of ransomware. Elexon says its “central systems” were unaffected and that it has identified the “root cause”. Its 100+ London staff are unable to send or receive emails from official addresses.
The company was reported as recently as March to have been running an unpatched Pulse Secure VPN server, according to scans by Bad Packets. This is currently among the juiciest of targets for cyber criminals.
As US government agencies warned yesterday, “Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities (including) an arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781 [and] an arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510.”
We’re aware of a cyber attack on ELEXON’s internal IT systems. We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats. https://t.co/7R2NeIB57l
— National Grid ESO (@NationalGridESO) May 14, 2020
Elexon runs the UK’s balancing and settlement code (BSC).
It also compares “much electricity generators and suppliers say they will produce or consume with actual volumes. We then work out a price for the difference and transfer funds. This involves taking 1.25 million meter readings every day and handling £1.5 billion of our customers’ funds each year.”
The incident comes just two months after the organisation responsible for overseeing the operations of Europe’s high voltage power infrastructure was also hit by a malware campaign. ENTSO-E, formed in 2008, represents 42 Transmission System Operators (TSOs) across 35 member states.
The organisation said tersely on March 9 that it had “recently found evidence of a successful cyber intrusion into its office network.”
Neither Elexon not ENTSO-E have publicly published further details of the intrusion, initial vector, or malware type. While successful network segmentation appears to have minimised the impact, market observers will be concerned at ransomware attacks creeping increasingly closer to CNI.