U.S. Cyberattack Bleeds Into Utility Space With Billing Delays

A cyberattack that hobbled the operations of at least four natural gas pipeline companies starting late last week also triggered changes within the utility industry.

Duke Energy Corp., the second largest U.S. utility by market capitalization, said it first learned about the attack on March 30. Duke became concerned because it shares consumer data with dozens of third-party electricity and gas providers in Ohio through an electronic system run by Energy Services Group LLC, the data firm that was hacked.

Fearing the information could be compromised, Charlotte, North Carolina-based Duke abandoned the Energy Services system, Catherine Butler, a Duke spokeswoman, said in an email. As a result, some Ohio customers may see a delay in getting their monthly energy bills or receive partial bills, she said.

Energy Services, meanwhile, said on Wednesday that its systems are back up. “We are now completing testing and system validation to bring all customers back into safe and secure operation,” working with a leading cyber forensic firm, Carla Roddy, ESG’s marketing director, said in an email.

At least five U.S. pipeline companies have said their electronic communications systems were shut down over the past few days, with four confirming the service disruptions were caused by a cyberattack. Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas and the TransCanada Corp.-operated Portland Natural Gas Transmission System were among the companies affected by data outages, while Oneok Inc. said it disabled its system as a precaution.

ESG’s electronic systems help pipeline operators speed up tracking and scheduling of gas flows. The company also supplies electricity prices and demand models that retail power providers depend on to bill homes and businesses, and determine how much supply to secure for customers in wholesale markets, said Michael Harris, chief executive officer of Unified Energy Services LLC, a Houston-based consulting firm.

ESG’s platforms are used “all over the country” for power transactions, Harris said. “Nobody who is using the pricing platform has been able to use it to price since last Thursday. There are going to be estimated bills going out for some of the largest companies.”

Absent the demand models from Energy Services, retail power providers could also come up short (or long) on power supplies for their customers and may resort to buying and selling in spot markets to re-balance. That could lead to big swings in wholesale prices if Energy Services’s system remains down for weeks, Harris said.

Natural gas systems and power grids have been increasingly going electronic as aging infrastructure is updated. Hackers are developing a penchant for attacks on energy infrastructure because of the impact the sector has on peoples’ lives, said Scott Coleman, director of marketing and product management at Owl Cyber Defense, which works with oil and gas producers.

If a hacker shuts down an electric substation, 20,000 people can be affected, he said.

Duke wasn’t alone among utilities in feeling the effects. The Maine Public Utilities Commission was notified of an issue “that may be cyber” involving customers of a third-party supplier, spokesman Harry Lanphear said in a phone interview Wednesday. In the Midwest, Vectren Corp., confirmed an unspecified issue with its Ohio gas utility’s interface with Energy Services Group but said no personal customer data was lost and customer services weren’t affected.

Data Exchange

Utility owner NiSource Inc. temporarily suspended its data exchange with two pipeline suppliers affected by the cyber attack, spokesman Ken Stammen said in an email Wednesday. NiSource operations weren’t affected, he said.

Texas electricity retailers “have been providing manual work-arounds while they await ESG’s return to service,” said Andrew Barlow, a spokesman for the state’s Public Utility Commission. One of those companies, American Electric Power Co., said it’s no longer accepting customer billing data from ESG.

But beyond the communication system, the attack doesn’t seem to have affected the grid. Grip operator PJM Interconnection LLC has seen “no evidence” of problems and had experienced no impact as of Wednesday afternoon, spokeswoman Susan Buehler said by phone.

Federal Concern

“While we continue to learn more about the cyber incidents affecting pipeline business systems including those at Energy Transfer Partners, it should be abundantly clear by now that every business faces cybersecurity risk,” said Representative James Langevin, co-Chairman of the bipartisan Congressional Cybersecurity Caucus.

“The federal government must continue to improve visibility into critical infrastructure information system dependencies to fully understand the potential risks to the nation,” the Rhode Island Democrat said in an emailed statement.

So far, there’s no “direct evidence” that the attackers sought ransom, said Steve Grobman, chief technology officer at cybersecurity company McAfee Security LLC. It’s also still unknown whether the attack came from a state-sponsored group, a criminal gang or some combination thereof, he said.

ESG may not even have been the target, said Grobman, who declined to say whether McAfee had been engaged to help counter the attack. Instead, the attackers’ ultimate goal may have been to find ways to breach ESG’s clients.

“The level of robustness in the security systems of oil and gas companies makes them difficult targets,” Grobman said in an interview on Wednesday. “Going after softer targets such as electronic communications companies is much easier to execute.”