CEO’s Report: Prepare your utility for cybersecurity threats

January 9, 2024

It recently came to our attention emails were generated to a customer using a spoofed email address, designed to look like it was coming from a staff member at Heartland Energy.

This is not the first time a Heartland customers has been a victim of a cybercrime. However, it is the first time, that we know of, that the hackers used Heartland to try to get to a customer.

While we believe this was an isolated incident, it once again reminds us of the importance of both cybersecurity assessments and training at your utility.


IT is not cybersecurity

Having a solid information technology company overseeing your system is of utmost importance. However, IT and cybersecurity are not the same thing. Cybersecurity professionals will test your system and help determine the best options to secure your network.

We often hear that cities or utilities don’t think they need cybersecurity because they don’t have anything to steal.

In many cases, hackers aren’t looking for specific information to steal. They are most likely looking to trick you into giving them information or holding your valuable material ransom.

In this recent case, an email was sent looking like it came from a Heartland employee saying our banking information had changed. The goal was for the recipient to click the link and submit payment.

Several years ago, another Heartland customer had their system held ransom when they mistakenly clicked on a false link.

One click gave the hackers access to their system, essentially locking them out from all their work until they paid a ransom. Luckily, their IT company had most of the system backed up, but took an extended time to restore everything.

In both these cases, the hacker was looking to gain access to make a profit. They aren’t looking to necessarily steal information, but rather gain access to something.


Partnership extends services

Through a partnership with the Attorney General’s office, Dakota State University provides free cybersecurity assessments to all cities and counties in South Dakota through Project Boundary Fence.

If you have not had an assessment done, we recommend signing up ASAP. Their goal is to help secure networks from cyber attacks through external penetration testing on outward facing technology infrastructure.

To ensure our entire customers base is covered, Heartland Energy partnered with Dakota State University to provide cybersecurity assessments to customers outside of South Dakota, also free of charge.

They provided their first round of assessments this past summer with plans to continue for at least two more years.

You will get a team of cybersecurity professionals dedicated to assisting your utility secure your technology infrastructure. They use applied security research and diverse tactics and techniques using validated and ethical tools to provide comprehensive security assessments.

This service is of utmost importance. However, it also requires some work on your part to implement recommendations and ensure the risks presented are properly addressed.

Dr. Arica Kulm with Dakota State University discussed Project Boundary Fence at Heartland Energy’s 2023 Annual Meeting.

Federal funding available

Up to $70 million in federal funding is available to support not-for-profit entities and municipal/public power utilities in securing their cybersecurity posture.

Three different topic areas will be funded through the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Funding is made available through the Bipartisan Infrastructure Law.

Pre-applications must be submitted by January 10 to be considered for funding. The American Public Power Association is applying under the second topic area which includes strengthening the peer-to-peer and not-for-profit technical assistance ecosystem.

This area supports investments that strengthen the community of utilities that are currently providing cybersecurity support to eligible municipal utilities and meet the legislative intent to enhance the security posture of electric utilities.

APPA released a survey soliciting members interested in submitting projects under this topic. Heartland completed the survey and will be included in APPA’s submission. We will keep you posted on any developments in this area.

Fitch: Public power utilities need to continue to increase investments in cybersecurity

Fitch Ratings released information in late October saying utilities need to continue to prioritize investments in cybersecurity in order to address heightened risks.

“Robust cyber resiliency and risk management helps support current ratings,” they said.

While they noted that the power utility sector continues to remain well positioned to withstand attacks on digital and network infrastructure, “the risk landscape for the sector is rapidly growing due in part to the use of artificial intelligence by threat actors.”

The growing dependence on IT assets for grid operations and smart meters also increases accessibility.

Public power utilities have reported increased screening efforts, targeted staffing and training, system upgrades and improved restrictions on vendor access, Fitch noted.

However, as the technology landscape continues to evolve, it is of paramount importance for utilities to protect themselves.

Heartland Energy will continue to offer resources to customers to help improve their cybersecurity posture. However, utilities must continue to evaluate the controls they have in place and train employees on best practices. We will continue to assist in any way possible to protect your utility and your customers.