Protecting Utilities using LogRhythm SIEM

Across the globe, economies and business infrastructures are heavily supported by modern electricity utility companies. These companies touch and power our lives on a daily basis. The ubiquity and vast amount of sensitive data they store, combined with our deep dependence on them, make them major targets for cyberattacks.

How Ransomware Impacts Electric Utility Cybersecurity

Ransomware attacks have cost electricity companies in dollars, downtime, and reputational damage. The Lansing Board of Water & Light (BWL) was targeted with a sophisticated attack, costing them $2 million dollars. That same year, a major electricity supply provider in Johannesburg was attacked, resulting in localized blackouts for a sustained period of time. Both of these incidents demonstrate the importance of providing stringent cyber protection to critical infrastructure facilities, like electricity power systems. These two examples are just a small sample of incidents, while there are other incidents that can cause severe impact to physical electricity devices and gravely impact human life.

Ransomware-as-a-service (RaaS) has also grown, given how ransomware has proven to be a highly lucrative business. RaaS is a business model in which ransomware developers lease ransomware variants, allowing malicious actors to quickly launch ransomware campaigns without needing much skill or time to develop their own.

Three Electricity Utility Cybersecurity Use Cases

Now the big question is how can electricity utility organizations effectively manage today’s risks while speeding up detection and responding to modern threats? Let’s dive into practical use cases specific to electricity utility organizations, based on the most recent real-world attacks, and how LogRhythm SIEM can help you bolster your defenses against ransomware attacks.

1. Detect Physical Access Control Violation

Critical infrastructure providers such as electricity suppliers deliver essential services for communities across the world. Electricity generators and providers must make sure reliable services are supplied on a 24×7 basis, making Physical Access Control one of the most important access controls for this sector. It is critical to authorize only the personnel that is required to have physical access to electrical equipment, and only authorize activity executed by authorized personnel. A continuous review on physical access logs for all personnel and their activities is also a must for electricity utility providers.

The Challenge

Security threats don’t originate exclusively from cyberthreat actors, and the most impactful threats in security actually originate from social engineering. The simple gesture such as holding the door for someone without verifying their identity can result in an impactful attack of similar or even greater scale than one from cyberthreats. It is important to provide security awareness training for every employee to ensure they are aware of and able to detect possible instances of a threat actor attempting a social engineering attack. A combination of awareness training on physical attacks and cybersecurity threats can significantly reduce the chances of an attack from the human element.

The Solution

LogRhythm SIEM augments control on physical access by monitoring for any access provisioning activities within the environment. Further, authentication or access activities to both physical and electronic access points are monitored. Privileged accounts or groups, both by default or defined by the organization, are also monitored for access provisioning, authentication, and access activities due to their impact within the environment. The SIEM’s module content provides reports, alerts and investigations, enabling the organization’s periodic access review process. LogRhythm SIEM both augments and directly addresses control objectives within Physical Access Control by alerting and reporting on access deprovisioning due to reassignment, transfer, or termination. This enables the organization to measure policy adherence for timely modification or removal of access.

LogRhythm SIEM uses AI Engine (AIE) use cases to detect Physical Access Control Violation such as when someone breaks the security glass on any physical barriers. Once this happens, AIE will trigger an alarm with Risk Based Priority (RBP) based on the risk value of that incident.

With Drill Down Alarm, LogRhythm SIEM provides different security perspectives which will inform the security team about who broke the glass, with other additional information to enrich understanding on the incident.

2. NERC-CIP Compliance Monitoring and Assurance

The North American Electric Reliability Corporation (NERC) is a nonprofit corporation dedicated to ensuring that “the bulk electric system in North America is reliable, adequate and secure.” As a federally designated Electric Reliability Organization (ERO), NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are engineered to ensure the protection of cyber assets critical to the reliability of North America’s bulk electric systems.

Due to its popularity and acceptance, NERC-CIP is not only followed by North America’s energy sector, but NERC has been adopted as best practice for global energy companies while CIP guides organizations to implement and perform procedures to effectively capture, monitor, retain, and review log data. This can be challenging because IT environments consist of heterogeneous devices, systems, and applications reporting log data, and because millions of log entries can be generated daily, if not hourly.

LogRhythm SIEM’s NERC-CIP compliance automation modules help companies meet these challenges. Further, to support companies transitioning from NERC-CIP V3 to NERC-CIP V5, we offer compliance automation modules for both regimes. The new V5 module leverages an entity-based structure to integrate “impact categorization” scoring into the logging, reporting, and real-time analytics and alarming capabilities of LogRhythm SIEM. Customers use this information to identify when activities of interest occur to high-, medium-, and low-impact Bulk Electric Systems (BES) cyber systems.

The Challenge

Compliance and best practice take time and resources to be deployed and maintained. Specifically on compliance, it can be a hurdle or it can be an enabler for businesses to run.

The Solution

LogRhythm SIEM provides NERC-CIP compliance module out-of-the-box, so it can help energy companies implement, monitor, and continuously manage NERC-CIP compliance. The NERC-CIP module ensures that bulk electric systems operate within the requirements of applicable policies, legislation, and regulations. It also enhances other security countermeasures, providing a complete “defense in depth” approach and facilitating automated responses for threats targeting bulk electric systems.

Follow Industry Security Best Practices

Compliance and best practices are key driving factors for security teams to roll out security information event management (SIEM) as the heart of their security operations center (SOC).

Regulatory compliance is a necessary, but often complicated and expensive, component of modern business. LogRhythm SIEM enables you to address cybersecurity regulations by providing preconfigured compliance automation modules that adhere to many common regulations and frameworks.

3. Detect Ransomware

Ransomware has surged in magnitude and frequency and is proving to be costly. The Lansing Board of Water & Light (BWL), the provider of electricity and water to the residents of the cities of Lansing and East Lansing, Michigan, fell victim to a ransomware attack. This cost them $2 million for technical support and equipment to upgrade their security. During the incident, the city-owned utility was forced to shut down its accounting and email systems after an employee unknowingly opened an email with an infected attachment.

In the same year, a major electricity supplier in Johannesburg was hit by a ransomware attack. The company found all their databases, applications, and network encrypted. It also kept City Power’s website offline, affected their customers’ ability to buy prepaid electricity, and hampered the firm’s efforts to respond to localized blackouts.

The Challenge

Ransomware attacks have multiple entry points — from an administrator using a default password, to phishing attacks, to unpatched systems with any known vulnerabilities. It is challenging for electricity utility organizations to detect ransomware due to the nature of encryption of data compared to leaking the data out of their environment. Electricity utility organizations often only realize that ransomware has struck them when they encounter the ransom email and find their systems encrypted.

The Solution

The enables the detection of ransomware attacks through a combination of AI Engine rules and a File Integrity Monitoring (FIM) solution. Most ransomware attacks have the goal of encrypting files. Thus, extensive file access from a new process will be one of the indications of anomalous behavior.

Combining extensive file access with other behavior such as auto-run registry key will confirm if it is indeed a ransomware activity. AI Engine’s Risk-Based Prioritization builds trends and exposes statistical anomalies based on the risk level associated with specific network activity. By drawing visibility on and enabling teams to understand these behaviors, LogRhythm SIEM empowers security teams to detect ransomware and classify potential ransomware behavior.

LogRhythm SIEM’s AI Engine enables security teams to detect high-risk ransomware behavior and identify anomalous behavior as early as possible, even if signature-based detection fails to detect ransomware. This provides multiple layers of detection.

To mitigate the ransomware threat, the SIEM’s unique SmartResponse^TM enables automated incident response. SmartResponse improves time to response (TTR) by providing automation that can integrate with other solutions. Analysts can execute fully automated remediation actions such as quarantining or isolating an infested host. Specific users (e.g., senior incident analysts) can review before they are executed in semi-automated, approval-based response actions. Teams can decide which actions to automate so they can focus on more complex incident response tasks that require more thought and creativity.

Address Your Cybersecurity Use Cases

As the energy sector continues to modernize, addressing cybersecurity use cases in electric utilities has never been more critical. With increased connectivity, the rise of smart grids, and the growing reliance on digital infrastructure, the potential risks are too significant to ignore. Proactive measures that focus on threat detection, network protection, and incident response can mitigate vulnerabilities and safeguard both operations and public safety.

By investing in advanced cybersecurity solutions today, electric utilities can not only prevent costly disruptions but also build a resilient future for the energy ecosystem. To discover how Exabeam can help your team quickly detect and mitigate electricity-specific use cases, schedule a demo.