Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are

The hunt for information related to the suspected Russian hacking operation is very much ongoing in the private sector, too.
North American electrical grid at night
(NASA / Getty Images)

The North American electric grid regulator has asked utilities to report how exposed they are to SolarWinds software that is at the center of a suspected Russian hacking operation, and the regulator advised utilities that the vulnerability “poses a potential threat” to parts of the power sector.

The North American Electric Reliability Corp. (NERC), a not-for-profit regulatory authority backed by the U.S. and Canadian governments, said in a Dec. 22 advisory to electric utilities that there was no evidence indicating that the malicious tampering of SolarWinds software had impacted power systems. But the fact that software made by Texas-based firm SolarWinds is used in the electric sector has made vigilance important, according to NERC.

“At this time, NERC is not aware of any known impacts to bulk power system (BPS) reliability or system outages related to the SolarWinds compromise,” reads the advisory, which CyberScoop obtained. “However, the presence of SolarWinds Orion Products in the enterprise networks of registered entities exposes them to the vulnerability and exploitation by the [advanced persistent threat] actor and poses a potential threat to BPS reliability.”

Senior U.S. officials, including Secretary of State Mike Pompeo, have said they suspect Russia is behind the software supply-chain compromise, which has led to the breach of multiple federal agencies and some private firms. Russia has denied involvement.


Russia-linked hacking groups have a history of disruptive operations against industrial organizations in Ukraine, for example. However, it is unclear which particular group is responsible for the SolarWinds operation, or what their ultimate intent is. One suspect in the SolarWinds operation— a hacking group known as Cozy Bear or APT29 — was not involved in the alleged Russian hacking activity that cut power in Ukraine in 2015 and 2016.

The NERC advisory follows a Dec. 14 briefing held between multiple U.S. electric utilities and federal officials that began to explore the extent to which the sector might be affected by the SolarWinds breach.

That will be a process, according to experts. SolarWinds software is widely used by industrial organizations — from manufacturing to electricity to oil and gas — for network monitoring. Some of those organizations may not have even been aware they were running the software, experts have told CyberScoop.

The concern among some industrial security analysts is that the access enabled by the SolarWinds backdoor opens up the possibility of it being used to disrupt the “operational technology” [OT] networks that include sensitive software that interacts with machinery.

“Supply chain compromises, like SolarWinds, provide illicit and malicious access to OT environments facilitating possible disruption,” said Sergio Caltagirone, vice president of threat intelligence at Dragos, a Maryland-based firm.


NERC has asked the utilities and other power companies under its jurisdiction to answer a series of questions on their susceptibility to the SolarWinds hacking campaign by Jan. 5. Those questions include whether the utilities have vulnerable SolarWinds products installed on their corporate IT networks, but also in their OT networks. The regulator also requested forensic data from utilities, if they have it — malicious “indicators of compromise,” internet domains or IP addresses used by the attackers.  

NERC regularly collects information from utilities in response to cyberthreats. But this particular questionnaire exemplifies how the hunt for information related to the suspected Russian hacking operation is very much ongoing in the private sector as it is in government.

In a statement to CyberScoop, NERC said it, along with the E-ISAC, the electricity industry’s threat-sharing hub, “continue to monitor the recent supply chain compromises by advanced persistent threat actors” and their potential impact on the industry.

“We are working closely with the Electricity Subsector Coordinating Council, the Department of Energy, the Department of Homeland Security, the Federal Energy Regulatory Commission, our Canadian partners and others, and will continue to collaborate and stay on the forefront of this event,” NERC said. “The quick response and level of engagement highlights the strong public-private partnerships, which are vital to safeguard the North American bulk power system.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts