back to article Cyber attack against UK power grid middleman Elexon sparks in-house IT recovery efforts

An important middleman in the UK's electrical power grid has suffered a cyber attack, though the lights are still on across good old Blighty. Elexon, which reconciles electricity supply to the National Grid and issues bills for undersupply or oversupply, was struck by what appears to be a partially contained ransomware attack …

  1. Mike Shepherd
    Meh

    Hubris

    Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats.

    Let's file that with "No foreign bombs will fall on Germany".

    1. John Brown (no body) Silver badge

      Re: Hubris

      Or, more recently, "There are no America aircraft over Baghdad"

      (Or words to that effect as said by the Iraqi military spokesman with the clear sound of explosions in the background)

    2. Richard 12 Silver badge
      Boffin

      Re: Hubris

      This organisation has nothing to to with actual generation, distribution or supply.

      They only do billing.

      Absolute worst-case scenario is that the generation companies have to suffer a week of estimated bills.

      1. John Brown (no body) Silver badge

        Re: Hubris

        "Absolute worst-case scenario is that the generation companies have to suffer a week of estimated bills."

        ...than take a look at it, suck air through teeth and phone up to complain the estimate is too high. At which point they get to spend ages fighting through the phone menus to get to the right department and then an hour or two on hold listening to "Thank you for holding, you call is important to us" interspersed by some poorly rendered muzak.

  2. Twanky
    Facepalm

    Cybersecurity?

    National Grid: We have robust cybersecurity measures across our IT and operational infrastructure...

    Elexon: We would have said that about ourselves last week.

  3. Duncan Macdonald

    Backups

    Assuming that Elexon kept up the backup regime that EPFAL was following when EPFAL had this job then full backups would be taken every day and stored offsite - recovery might be tedious but would not be difficult. No need to pay the ransomware scum.

    1. A random security guy

      Re: Backups

      A sophisticated hacker would infect backups for months before pulling the trigger.

      1. Anonymous Coward
        Anonymous Coward

        Re: Backups

        ...or target your backup devices themselves.

        I've been called in to rectify a ransomware attack that took out a bunch of Synology NAS devices. Mercifully, it only took out the firmware it didn't attack the disks themselves...either that or the poor stability of Synology kit came to the rescue!

        Either way it both sucked and wasn't that bad.

        I just wish more firms would call me to protect them in the first place rather than just use me as a parachute to save them in the event of a shit storm.

        1. Anonymous Coward
          Anonymous Coward

          Re: Backups

          So less a parachute and more a coastguard. One is only helpful in an emergency. The other does general saftey and navigation then jumps in in and emergency.

      2. BebopWeBop

        Re: Backups

        Even then, a careful data backup and replication that uses an independent data checker will deal with most instances of that.

      3. bombastic bob Silver badge
        Devil

        Re: Backups

        "A sophisticated hacker would infect backups for months before pulling the trigger."

        a sophisticated IT manager (read: BOFH) would realize this, and re-load affected operating systems from scratch - THEN restore just the data [and nothing that's executable]. In cases where boot viruses occur in motherboard EEPROM, this may be a bit more difficult, however...

        (but a proper phorensic analysis of the scope of infection would tell you this, most likely).

        In general, however, crooks are dumb. A simple "restore from backup" probably worked fine.

  4. Pascal Monett Silver badge

    What ?

    "these days more and more companies are forced to pay to speed up the process of getting back to business as usual"

    No. It's just that, with the Internet, it is easier to find companies that haven't paid attention to the most basic security rule which is DO A FUCKING BACKUP.

    I have zero pity for a sizeable company that still hasn't understood the value of backup. All your files are belong to them ? Pay the fucking fine, idiots, and then take your board and shoot the lot of them. It's not like this is news.

    Either the board hired an incompetent IT manager, or the board did not approve the proper budget.

    Either way, it's the board's fault. Shoot the bastards.

    Now, if you're a small company, you've just received a golden lesson in the importance of backups. I sincerely hope you've learned your lesson because, if not, you're going to pay again. You might start a cost/revenue analysis to determine just how often you can afford to pay to not do backups.

    Personally, my limit is zero.

    1. JakeMS
      Mushroom

      Re: What ?

      Most of these happen by a staff member opening an email attachment or dodgy website.

      It can be almost entirely eliminated by:

      - Training staff to not just go ahead and open any old attachment they receive by email

      - Show emails as plain text by default

      - Train staff tonot open that image that has an exe file extension.

      - Train staff to not need to look at adult content at work.

      - Train staff to focus on their jobs, not random dogdy websites

      - Train staff to treat every email attachment with caution, is this contact really likely to send an attachment? Is it really necessary, is it usual pattern?

      - Call BOFH if in doubt about something, before you do something.

      - Basically.. just train staff about common sense.

      Do you really need fo click that random bit.ly link from a random contact who you assisted months ago? Nope

      Targeted attacks may be more tricky to stop, but even this simple measures can go a long way.

      Prevention is always better than the cure. Ofc, you should still have offline backups.

      1. Duncan Macdonald

        Re: What ?

        The big problem is that too many bosses treat training staff as an unnecessary avoidable expense.

        1. JakeMS
          Thumb Up

          Re: What ?

          I personally feel that training basic common sense shouldn't be necessary, but when it is, or a job needs any further job specific training it shouldn't be looked at as an expense, but rather as a resource tbat ensures smooth continued operations.

        2. chuBb.

          Re: What ?

          I personally think this should be the sum total of IT education in schools that and a minimum typing speed of 10 wpm. Kids that want to code will do what everyone else who codes does find the language specs read experiment understand, those that don't think share point is a really neat idea and dream of management positions

          Flummoxed my eldests teacher by asking what the point of teaching cursive writing, wouldn't typing be a better use of their time, when my children live in a world where if they have to slum it and communicate in an analog manner it will be in block capitals...

          1. daflibble

            Re: What ?

            Without an understanding of cursive writing many historical records are inaccessible. It's more important then typing for without the ability to read historical records there is no hope for the future. Now after they've learned how to write they should be taught how to type, I hate the idea they just learn to do it and it doesn' need teaching. I saw so many teenagers struggling with keyboard skill and I worked in IT for a 6th form college. It was shameful watching teachers and students peck at keyboards slowly.

            1. Anonymous Coward
              Anonymous Coward

              Re: What ?

              Teach READING of cursive writing, but not necessarily proper penmanship of it. Personally, the only cursive I've written since high school is signing my name - which I could print and have it be just as legal.

              Typing is FAR more useful. Certainly I've never looked at a 100+ year-old document and found a piece of changed-my-life information, but I type every single day.

        3. Anonymous Coward
          Anonymous Coward

          Re: What ?

          The big problem is that too many bosses treat staff as an unnecessary avoidable expense.

          FTFY.

          1. Anonymous Coward
            Anonymous Coward

            Re: What ?

            "Ihe big problem is that too many bosses treat staff as an unnecessary avoidable expense."

            Guess what IT (in its many guises over the last 50+ years has been doing? That's right, automating tasks to either replace existing employees or allow the existing employees to more.

            You may be part of the problem...

      2. cantankerous swineherd

        Re: What ?

        you mean ban email?

      3. A random security guy

        Re: What ?

        I think we are putting the onus on the people and assuming that a perimeter mindset And security training alone would work.

        I would like to postulate that operations should not be so porous as to allow a simple workstation hack to bring down the castle.

        This is really a back to the basics badly engineered systems That have been configured And maintained poorly.

      4. Rol

        Re: What ?

        'Thank you for opening this obviously dodgy email. You have won a permanent, no expense paid, holiday for one on the good ship HMS Unemployed, which our automated systems are processing as you read.

        Please wait for security to attend at your work station, as they want to frisk you for paper clips and pencils before dragging you feet first out of the building.

        Thank you and goodbye'

      5. Boris the Cockroach Silver badge

        Re: What ?

        Quote:

        Most of these happen by a staff member opening an email attachment or dodgy website.

        -

        Good luck with your ideas in staff training to avoid ransomware etc etc

        However there are some problems with your ideas.

        1. A sign saying "this is what happens if you open an e.mail attatchment" hung on a crucified body that clearly been whipped and set on fire before death occurred, you will get users who will click and run a e.mail attatchment.

        2. the listed rules do not apply to the manglement

        3. People are dumb and most dont give a shit if they cause other employees nightmares.

        4. lastly..... the chances of getting the aforementioned manglement to spend on training users are slightly less than the IT department's attempts to get its budget increased to $20 this year from $2 last year

        1. Paul Crawford Silver badge

          Re: What ?

          Or maybe, just filter email to strip/scan attachments and links?

      6. Bogbody

        Re: What ?

        The problem with common sense is that it's not that common......

        Apostophe alert ! Weee Blurgh Weee Blurge !!!!

      7. Anonymous Coward
        Anonymous Coward

        Re: What ?

        1. Back when I still ran Windows, we got a virus infection from a dodgy ad on a legitimate, non-adult website. So dodgy or adult websites aren't always the problem.

        2. Executable attachments really ought to be filtered out at the server level, or at least require several additional steps to download and run them, including a "yes, I'm quite aware that this could infect the computer, but I was expecting this file and I know what it is" confirmation.

        3. ALWAYS turn OFF "Hide extensions for known file types" in Windows. What a misfeature! I once spotted a virus on our (Fortune 500) business network, as I had this turned off and could see that the "folder" was actually an executable, and the real folder was hidden.

        4. Not sure what viewing emails as plain text is supposed to solve. But the email software had BETTER NOT run any scripts in the email.

    2. cantankerous swineherd
      Thumb Up

      Re: What ?

      ransomware duly backed up!

    3. cbars Silver badge

      Re: What ?

      Cool cool cool, how long should I keep the backups to avoid getting shot? Just, you know, so I can make sure there is no way ransomware is decrypting files on the fly to corrupt said backups?

      I disagree that victim blaming is the moral high ground...

      What is required, in my opinion, is actually legally enforced engineering standards, like other disciplines. Want to sell software in the UK? Fine, but you had better get accredited and prove that your sexy/disruptive design complies to the latest safety standards. Is this a perfect system, no. Is it fast, no. Is it expensive, yes. But for the most part buildings are not collapsing on people; it would be nice if we could trust software to the same degree and let companies do business instead of wrapping other people's code in layers of redundancy to cover up that nasty industry-pervasive smell of negligence.

      *Then* we can start requiring businesses to use the tools safely, just as with everything else, mandated licenses and insurance etc. Would you get angry at a business for not renting two buildings, employing twice as many staff as required and running failure drills to a secondary office in case the first one burns down or collapses on its employees.... hopefully not. I just expect them to have insurance as it's so unlikely. Anyway, sorry, I rambled on there, well done if you're still reading! Yes, backups are essential business practice if you've got your head screwed on, but I can dream - and let's try not to shoot people after they've been mugged.

      1. Anonymous Coward
        Anonymous Coward

        Re: What ?

        Wise words, but at least one bit missing...

        "Yes, backups are essential business practice if you've got your head screwed on,"

        Backups are useless without the occasional trial restore. Now maybe you included that as part of your definition of "backups" but it is clear from reading the comments here that lots of people here still believe that backups don't need checking till you need them. I mean, what could possibly go.

        "try not to shoot people after they've been mugged".

        Perhaps a better analogy might be to make sure that the approved working practices require that blade guards and emergency stop switches are checked at the start of every shift.

        It's not rocket science, surely?

      2. BebopWeBop

        Re: What ?

        Maybe an independent system that ensure the files are usable?

    4. Anonymous Coward
      Anonymous Coward

      Re: What ?

      I can't up vote you enough.

    5. Anonymous Coward
      Anonymous Coward

      Re: What ?

      Yeah backups help but some ransomware sits dormant for ages, hiding in your backups, before it lights up. It can be incredibly difficult to detect...it's made harder by Microsoft and their various shortcomings.

      A slightly better plan than just having a backup is to ensure your backups have backups and give yourself the ability to go back a month or two if necessary.

      Solid file permissions help as well. If your permissions are tight then the impact of the ransomware can be isolated and it's easier to establish the source without having to take your entire system offline.

      Ransomware, generally, can only encrypt what you have access to.

  5. JakeMS
    FAIL

    "robust cybersecurity"

    Cybersecurity? Now I have no doubt it sucks.

    1. amanfromMars 1 Silver badge

      Oxymorons 'r' us

      Robust cybersecurity is surely just a role to play out in and is not too dissimilar to military intelligence, blinkered and blinded and neutered by great deceit in pursuit of the unwanted and unattainable ..... a glossy bauble of a bubble to brilliantly polish into and out of existence for flash fast cash markets to crash and crush with their tales of woe and mayhem/core code exfiltration and systemic vulnerability exploitation.

      You can think of it as a novel crowning virus of a type COVID-19 phorm which morphs and mutates in energetic cycles and spreads across multiple systems of hosting. It is certainly just as easy/difficult/impossible to deal with in order to render it compliant and under control with suitable available treatment.

      1. billat29
        Coat

        Re: Oxymorons 'r' us

        Please stop being comprehensible. It's confusing me.

        1. Fruit and Nutcase Silver badge
          Thumb Up

          Re: Oxymorons 'r' us

          Sometimes I do wonder if @amanfromMars 1 has been hacked. He's been getting up voted quite a bit recently.

          1. Anonymous Coward
            Anonymous Coward

            Re: Oxymorons 'r' us

            @amanfromMars 1 hasn't been hacked, they are just suffering a similar issue to the Onion.

            The events of the last few years have rendered humour, sarcasm, irony and flights of fantasy to be indistinguishable from tomorrow's reality.

            1. amanfromMars 1 Silver badge

              Re: Penny Dreadful* Classics and Oxymorons 'r' us

              @amanfromMars 1 hasn't been hacked, they are just suffering a similar issue to the Onion.

              The events of the last few years have rendered humour, sarcasm, irony and flights of fantasy to be indistinguishable from tomorrow's reality. .... Anonymous Coward

              How very perceptive of you, AC .......however, it is surely you and y'all and Onions rather than the likes of an I who are suffering tomorrow's reality being made indistinguishable from event rendering humour, sarcasm, irony and flights of fantasy, for the tales to be told to be believed and to be serially 0day hosted and posted daily by mainstream media news channels, which be both privately slush funded and publicly taxed mercenary propaganda vessels and convenient vassals for Elite Exclusive Executive Systems Administrations and wannabe Top Dog Leaderships, are so pathetically and shockingly dire and dismal ....... and can be of a rotten, early crass vintage well past its prime sell by date.

              Here be such an examplar? ... Bizarre EU-Funded Comic Book Predicted Pandemic, With Globalists As Saviours

              The problem difficulty today and therefore the abiding future opportunity which always exists to scupper even the best and most expensive of dire and dismal plans, is exclusive command and control of the necessary narrative is no longer a freely available elite option to just a few who so clearly now do not know what to do next for the best in order to try and save their skins, for they are being relentlessly and remorselessly hunted down for a just reckoning on the worlds they thought to create and present as acceptable as their plaything. Now surely you recognise that as a concrete fact rather than a stranger's fickle fiction. More than just the few do, and that is used to both terrify and terrorise that and those unworthy of future beneficial consideration.

              * ...... "Penny Dreadful is an old term used during the nineteenth century to refer to cheap popular serial literature, and it could be interchangeable with penny blood, penny awful, or penny horrible. It means a story published in weekly parts, with the cost of one (old) penny. The main plot of these stories were typically sensational, focusing on the adventures of detectives, criminals, or supernatural entities."

              1. amanfromMars 1 Silver badge

                Re: Penny Dreadful* Classics and Oxymorons 'r' us

                And some folk just don't get the reality and would do battle against themselves and daemons which care not a jot about their delusions of power with corrupt collective and perverse poisonous administrations .........

                President Donald Trump has vowed to break the “radical left’s” apparent control of social media platforms. Earlier, the president thanked his “keyboard warriors” for their support, as they accused the tech firms of censorship.

                “The Radical Left is in total command & control of Facebook, Instagram, Twitter and Google,” Trump tweeted on Saturday. “The Administration is working to remedy this illegal situation. Stay tuned, and send names & events.” ........ https://www.rt.com/usa/488860-trump-left-censorship-social-media/

                Seems like the 77th Brigade have a crazed adversary/heroic role model to compete against and/or support unreservedly if in a despicable special relationship.

    2. chuBb.

      Or "we spent a lot of money on a report and kit, but neglected to either hire someone able to configure the advanced stuff, or given them time to implement recommendations, or just went fuckwit tear the (fire)walls down cus we can't get end users to install a vpn client they need to wfh!!!"

  6. IGotOut Silver badge

    We know what this means...

    "Elexon later added that it had identified the "root cause" "

    Lack of patching?

  7. gr00001000
    Flame

    Vector identified

    RDP lockdown solution or email. Secure both extensively and get that RDP behind VPN. Plain text email, Mark all external emails as external, mail filtering solution too. All public IP resources such as pulse VPN endpoints must have absolute priority in patching.

    If it’s another vector such as chain supply attack, your isolated backups, VLAN segmentation and segregated endpoint logging will help.

    1. katrinab Silver badge
      Unhappy

      Re: Vector identified

      If employees home laptops are connected to the VPN, that’s not going to help.

      1. Richard 12 Silver badge

        Re: Vector identified

        Only work owned kit should ever be connected to the VPN.

        That's a pretty simple rule to make, and employees who are asked to work from home are universally very happy to accept a work-provided laptop.

  8. vogon00

    AC Amperes....

    ...are now forever known as 'wiggly amps' thanks to this article :-)

    Thanks - it's the perfect way to describe AC to my less technical contacts.

    Non-AC to avoid confusion, I hope.

    1. A random security guy

      Re: AC Amperes....

      I can just imagine the shocked look of my professor... if I had used those words ages ago :).

    2. Ken Moorhouse Silver badge

      Re:...are now forever known as 'wiggly amps' thanks to this article :-)

      El Reg:-

      Where is the 10x UpVote button? I can't find it...

  9. adam payne

    <b<Elexon later added that it had identified the "root cause" and was "taking steps to restore our IT systems".</b>

    Lacking a decent patching policy?

    IT run on a shoe string budget?

  10. Anonymous Coward
    Anonymous Coward

    National Grid

    I suppose you do realise that office equipment, desktops/laptops that can receive ransomware via USB or e-Mail are not the devices that the CNI is run on?

    Just because some dic*head's regular machine is infected, doesn't mean the lights go out.

    Do you think the computer equipment that controls the navy's nuclear submarines, receive e-Mail?

    Montgomery Scott.

    1. amanfromMars 1 Silver badge

      The weakest link ..... and a reliable constant source of inestimable bounty

      Do you think the computer equipment that controls the navy's nuclear submarines, receive e-Mail? ..... Anonymous Coward/Montgomery Scott wannabe

      Maybe not, AC, but the PEBKAC issuing instructions and/or following orders controlling equipment on a navy's nuclear submarines certainly do ....... and can be surprisingly easily nobbled and hobbled nowadays, which must be quite a worry to more than just a connected few ?

      How do you stop folk thinking for themselves whenever they receive new information which energises their intelligence services releasing the realisation they are being comprehensively played for a useful fool and idiot's tool? Do you think such possible and/or desirable?

      1. amanfromMars 1 Silver badge

        From US with LOVE ...... for Captivating Capture by Mother Russia Red Teamsters

        Do you have Alternate Virtualised AI Realities Processing Future Information for Universal TeleVisualised Audio Visual Presentations ‽ . ....... and of COSMIC Construction Cossack Style

        Is there a Vlad in the House Putting In Input to Output for an Imperial Soviet State of Bodies with Advanced IntelAIgent Minders ...... AIMentors and Monitors?

        And that question is hereby, here now presented for the only true simple answers when the question escapes you ‽ ..... Yes, No, Maybe Later for a Never Ever Before Ending to Kick Start urVirtual AIMachinery into Global Social Significance, are all Correct and Great Ideas to Also Personalise and Populate in All Manners of Matters of One's Own Choosing.

        And yes, that does wander into the Spooky Kremlin Russian Orthodox Church Services Territories of the Yet to be Imagined and Directed, Produced and Enacted? One imagines them all quite busy there these days. ....... but the few words here all but universally guarantees the information herein shared and safely certainly delivered, and to as many intended addressees as would be able to benefit from a welcoming enlightened foreknowledge too ..... which is the Real Not Totally Unexpected Bonus when Top Secrets are Proving Overwhelmingly Expensive and Impossibly Difficult to Maintain and Retain and Restrain. They be an Obstructive Destructive Liability Harbouring the Seeds and Feeds and Needs of One's Own Ascension into an Attendant Ascendancy with Keys to Unlock and Free the Heavenly Stores Within for Future Programs and Protected by the Almightiest of Doors. ...... One's own Disbelief of a Fact Proving Itself to be True ....... and Able to Communicate with You Too?

        How about them jewels now that diamond sparklers have lost their attractive lustre ? Future Sensitive Information Sales are one of those Virtual AIDerivative Ventures which Hedge Funds and Merchant Banks are just made for and may even tell you to stay well away from if of a highly nervous disposition.:-)

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: From US with LOVE ...... for Captivating Capture by Mother Russia Red Teamsters

          four 0F four:

          - a keyboard and its peripherals - some computer, monitor, etc;

          - some room to put it all in;

          - stock to feed the OBKAC

          - revive the h/out environs.

          so few to do, as one can see. so much to, at least, expect (-:

          vvork in present conditions will bring no good neither to the 0utbox, nor to the 0bservers.

          with my respect,

          -anon

        3. billat29
          Thumb Up

          Re: From US with LOVE ...... for Captivating Capture by Mother Russia Red Teamsters

          That's more the style we expect.

          1. amanfromMars 1 Silver badge

            Re: From US with LOVE ...... for Captivating Capture by Mother Russia Red Teamsters

            That's more the style we expect. ..... billat29

            Is that you saying the post is incomprehensible and confusing you, billat29? Does it need to be further simplified with more sensitive information added to reveal more of the sterling secrets hiding in the shadowy shade of star systems collapsing/imploding/exploding?

            :-) Do bots play global stud poker with just humans/themselves ?

  11. Trigun

    Ransomware - check your backup size daily

    People have mentioned about ransomware infecting backups.

    One of the things we do for our customers is a set of daily checks (something I expect all you sysadmins out there do...) the results of which we record in a spreadsheet. This includes checking the backups and recording the size amongst other things. If we see anything unusual (such as a size increase is the incremental which bucks the normal trend) we start looking into it and if we have a suspicion something is going on we take a separate copy of the older backups which are inaccessible to domain accounts - including domain admins (preferably subsequently made offline).

    It's not absolutely infallible, but it's one of our ways for trying to catch this kind of thing.

    Also, we also setup SRP whitelists, file screening, decent AV, etc. where the costomer will let us. Again, not infallible, but can stop a lot of things if implemente correctly.

    And, of course, end user awareness and training (a constant battle).

  12. Unoriginal Handle
    Coat

    If they are going to pay the ransom, why not pay in electricity, rather than directly in bitcoin ? After all, they know where the electricity is and how to get hold of it :)

    Mine's the coat with the multimeter in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      You can always hold a fluorescent tube at an appropriate angle somewhere inside the field around the lines... Technically this is of course, theft and highly dangerous if you don't know what you are doing.

  13. Marc 13

    I've worked in large, multinational and small even micro businesses over the last 10 years.

    I am always surprised just how low the IT comprehension is within the non IT types... They can use a smart phone to download an play FB or Twitter yet cannot comprehend saving a doc to OneDrive/DropBox etc instead of the desktop ffs. They cannot click "Save as" when editing an email attached doc and wonder why their edits aren't saved.

    This ISN'T in depth IT knowledge, its should be the starting point of the job interview for any job in the business.

    In the case of opening crappy emails... send them two interview invites, one crap and one real... if they open the crap one, decline them!

    M

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon