Phishing Attacks in the Utilities Industry

December 11, 2017 by Randi Sherman


Larger businesses can sometimes hush up Phishing attempts, and the general public needs never be any the wiser. That is certainly not true for something like public utilities.

It is going to be pretty obvious if the water shuts off all over the city; people stuck in elevators will be highly aware of the fact that there is no electricity, just like the drivers trying to get around in a city without traffic signals. Just imagine the chaos if someone were to shut down sewage treatment plants.

Are criminals and terrorists willing to put thousands of lives at risk? Silly question… Of course they are. It has been said that as early as 1990 airports began hardening their security and redundant systems because of the events depicted in the Bruce Willis movie “Die Hard 2”. That is one of those times when Hollywood did us all a tremendous favor.

Why Phish the Utilities Industry?

In October (2017), North Korea instigators hacked into South Korea’s Korea Hydro and Nuclear Power (KHNP) and leaked highly sensitive documents. They did this not to wrest control of the facility from South Korea, but rather to exaggerate the degree of access that was available to their agents and—most importantly to them—to cause fear.

Obtaining access to records and documents is entirely different from gaining access to the control systems. There’s no evidence that they can penetrate any further. Imagine, however, the level of unease they can create for an entire city fearful that the power might go off at any moment.

Indeed, on September 22nd, 2017, many phishing e-mails bound for U.S. electrical utilities were intercepted from these or other North Korean agents. It doesn’t look like a serious attempt to accomplish anything, but rather reconnaissance to establish the system’s susceptibility.

How Are Utilities Companies Phished?

The power outage experienced in the Ukraine in December 2016 was determined to be caused not by some sophisticated zero-day software attack, but by a simple e-mail attachment that encouraged employees to click on it, and after that it spread automatically. This Trojan program, called BlackEnergy, either evaded the security, or there was none in place.

In a recent survey by Tripwire of 150 utility sector customers, it was revealed that 76% of them were not properly prepared to deal with a cyber attack. Among the respondents, 35% said they were capable of accurately tracking all security threats to their system; an additional 35% said that they could not because of the sheer quantity of attacks on a daily basis.

E-mail is the most common vector for a phishing attack, but it can also occur through spoofed interoffice memos, SMS (text messaging), and even phone calls. Attackers gather publicly available information available from sources such as news releases, Facebook profiles, LinkedIn profiles, and more.

Reading the fine print will reveal this LinkedIn contact request as a phishing attack, but does everyone on your team read email fine print before clicking through? PhishSim will let you know if they neglect to do so.

A convincing phone call, supposedly from a salesman known to be at a conference in a neighboring city, claiming to need access to a file but who has forgotten the password, or that he requires a cash transfer to pay the hotel bill, is ridiculously effective.

Steps to Prevent Utilities Phishing

  • When you receive texts (SMS) or e-mails with links or attachments that are suspicious in ANY way, don’t open it. Without clicking the links, you can hover your mouse over them to see if their addresses match what the links say. If not, you do not want to click it. Get in the habit of always looking to see if a link matches what it says before you click it.
  • Always, always, always have an antivirus program installed and make sure it stays up to date. Turn on the auto-update functionality (all AV programs have this) so that they are equipped with the latest information.
  • If something looks odd, that is just fine. Ask someone about it. It is so much better to ask and find out it is nothing to worry about that to crash your employer’s entire computer system. And guess what? They’ll know it was you, so don’t hesitate to ask.
  • Use offsite backups if possible. If not, back up your data frequently, but make sure you completely detach the backup equipment when it is not in use. There is no point in having a backup that is attached during an attack, and it becomes encrypted, too!

Education and Training

NERC (North American Electric Reliability Corporation) is a non-profit international regulatory agency which oversees the bulk power generations in North America. It is responsible for creating standards, educating, providing training, and then certifying industry professionals. There are about 334 million people in their jurisdiction.

While it is good to have standards, they set a very low bar for compliance. Isolating systems is a good idea, but that can all come crashing down if one employee clicks the wrong link or opens an attachment in a dangerous e-mail.

Phishing criminals know much more than you do about computers. They are skilled at impersonating people you know casually; they can make appropriate references that give them veracity.

Your job as a counter-phisher is to make yourself knowledgeable about recognizing their mistakes so you can identify them and stay safe. That means all employees need to know the same thing, and no one gets a “free pass” because they sound legitimate. Most important of all, when someone communicates sounding “urgent,” that is the tip-off that they are trying to rush you into a rash decision.

InfoSec Institute offers self-paced tutorials via their AwareEd system, tutorials which are available to all InfoSec account holders, including those with free membership plans. A quick overview of phishing to help learners recognize suspicious emails; to discover what to do when (not if) a suspect email is received. It is all covered in the coursework. You may view InfoSec’s tutorials and sign up for a free account here.

Testing and Evaluation

Once subscribed to an InfoSec plan (free or otherwise), you can schedule and send pseudo-phishing attempts to all your employees to see how resistant they are. This automatic process is set-and-forget, and you just review periodic reports.

Conversely, you can register all your employees for training that must be completed. Simply make them aware that their fruitful participation will be reflected in their next review.

If you choose the second strategy, you should make them aware that these disguised phishing attempts will continue on a sporadic, unpredictable basis, and they will be assessed for both identifying and not clicking on any links, but more importantly, for reporting the phishing e-mail to IT to protect the entire network.

In the event of a real phishing attempt, this would protect the entire network. It would allow IT to send a message to every screen on the system, identifying the dangerous e-mail, instructing people not to open it, and providing instructions about what to do if it has already been opened. This gives the IT department time to do a complete system sweep and remove the offending file.


With our PhishSim tools and templates, you can create emails similar to those which may be used by these criminals, then send them to everyone who interacts with your mail system. That helps to determine how they respond to a real threat.

With an extensive collection of existing templates, cloning and then modifying an existing one is probably the quickest and easiest way for a user to start a phish-testing campaign. Whether you create a simulated-phishing e-mail of your own or adapt one of our templates, you can send these testing e-mails directly from PhishSim. The built-in reporting feature also allows you to monitor your campaigns, checking for users who have taken the bait multiple times, and who has learned from prior mistakes.

Track your campaigns through a variety of parameters, including the number of people who got successfully phished, the number of times you’ve run the campaign, and the number of security savvy people who reported the suspicious email.

E-mail addresses of those being tested may be directly imported from a list provided to you by your HR department. All of your different campaigns, with different simulated-phishing attempts and various recipient lists, can be managed entirely within PhishSim with our Campaign Manager.


InfoSec can assist with training your employees, helping them to recognize phishing attempts and other cyber threats. In the last two decades over 15,000, IT professionals have received our training in a wide range of cybersecurity areas, and our programs have consistently received industry awards and recognition.

InfoSec’s PhishSim tool, tutorials, and advanced training combine to provide IT security specialists with a complete system for combating the ever-present threat of people intent on breaching your security. Remember it takes only a moment to create your free InfoSec account, and just minutes to develop and run a PhishSim test.

To our way of thinking, investing a little time right now is significantly better than investing days trying to get your computer system running again, losing sales, paying off criminals to regain access, and then being required to do damage control and explain to thousands of customers that all of the Personally Identifiable Information (PII) has been released into the wild.

Remember this? “An ounce of prevention is worth a pound of cure.” Such aphorisms exist because they are true. To get started, click here to create and run your first PhishSim test.

Posted: December 11, 2017
Randi Sherman
View Profile

Randi is one half of The Social Calling, a writing duo with over 20 years of expertise in IT/Tech, Science, Health and more. They can be reached at