Cyberattack bleeds into utility space
A cyberattack that hobbled the operations of at least four natural gas pipeline companies starting late last week also triggered changes within the utility industry.
Duke Energy Corp., the second largest U.S. utility by market capitalization, said it first learned about the attack on March 30. Duke became concerned because it shares consumer data with dozens of third-party electricity and gas providers in Ohio through an electronic system run by Energy Services Group, the data firm that was hacked.
Fearing the information could be compromised, Charlotte, North Carolina-based Duke abandoned the Energy Services system, Catherine Butler, a Duke spokeswoman, said in an email. As a result, some Ohio customers may see a delay in getting their monthly energy bills or may receive partial bills, she said.
Energy Services, meanwhile, said Wednesday that its systems were back up. "We are now completing testing and system validation to bring all customers back into safe and secure operation," working with a leading cyber forensic firm, Carla Roddy, ESG's marketing director, said in an email.
At least five U.S. pipeline companies have said their electronic communications systems were shut down over the past few days, with four confirming the service disruptions were caused by a cyberattack. Energy Transfer Partners, Boardwalk Pipeline Partners, Chesapeake Utilities Corp.'s Eastern Shore Natural Gas and the TransCanada Corp.operated Portland Natural Gas Transmission System were among the companies affected by data outages, while ONEOK Inc. said it disabled its system as a precaution.
ESG's electronic systems help pipeline operators speed up tracking and scheduling of gas flows. The company also supplies electricity prices and demand models that retail power providers depend on to bill homes and businesses, and determine how much supply to secure for customers in wholesale markets, said Michael Harris, chief executive officer of Unified Energy Services, a Houston-based consulting firm.
ESG's platforms are used "all over the country" for power transactions, Harris said. "Nobody who is using the pricing platform has been able to use it to price since last Thursday. There are going to be estimated bills going out for some of the largest companies."
Absent the demand models from Energy Services, retail power providers could also come up short (or long) on power supplies for their customers and may resort to buying and selling in spot markets to rebalance. That could lead to big swings in wholesale prices if Energy Services' system remains down for weeks, Harris said.
Direct Energy Inc., which distributes electricity, also uses Energy Services and the attack could impact customer billing, James Steffes, executive vice president of corporate affairs, said in an interview in Houston. This cyberattack will not be the last, he said.
"As we've become more digital, we're going to see more and more threats," Steffes said. "Bad people trying to do bad things" will continue to pose a threat to web-based services. "We'll never be able to take our eyes off this ball because it's just the nature of a digital environment."
Natural gas systems and power grids have been increasingly going electronic as aging infrastructure is updated. Hackers are developing a penchant for attacks on energy infrastructure because of the impact the sector has on peoples' lives, said Scott Coleman, director of marketing and product management at Owl Cyber Defense, which works with oil and gas producers.
If a hacker shuts down an electric substation, 20,000 people can be affected, he said.
Duke and Direct Energy weren't alone among utilities in feeling the effects. The Maine Public Utilities Commission was notified of an issue "that may be cyber" involving customers of a third-party supplier, spokesman Harry Lanphear said in a phone interview Wednesday. In the Midwest, Vectren Corp., confirmed an unspecified issue with its Ohio gas utility's interface with Energy Services Group but said no personal customer data was lost and customer services weren't affected.
Utility owner NiSource Inc. temporarily suspended its data exchange with two pipeline suppliers affected by the cyber attack, spokesman Ken Stammen said in an email Wednesday. NiSource operations weren't affected, he said.
Texas electricity retailers "have been providing manual workarounds while they await ESG's return to service," said Andrew Barlow, a spokesman for the state's Public Utility Commission. One of those companies, American Electric Power Co., said it's no longer accepting customer billing data from ESG.