Elexon, the electricity systems administrator, was hit by a cyberattack on Thursday (14 May), although no key systems are thought to have been affected.
The company confirmed in a statement just before midday that it had been attacked, with employees unable to access emails. Today (15 May), it updated its statement to reassure customers that it holds no customer level data and there is no risk to the public from the breach.
The attack effected the company’s internal IT systems, and not the Balancing and Settlement Code (BSC) Central Systems and EMR, which are working as normal Elexon confirmed.
“The attack is to our internal IT systems and ELEXON’s laptops only,” the company said in a statement. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”
It has identified the root cause of the attack and is taking steps to restore its internal IT systems, it continued.
Crucially, Elexon does not manage the real time physical flow of electricity in the UK, and as such there is no impact to the power supply.
The company calculates the amount of power produced by power stations and sold to suppliers, ensuring that it either matches what they are contracted to sell or that the differences are correctly charged. Additionally, it calculates, collects and distributes payments to Contract for Difference generators and Capacity Market providers.
According to Elexon, neither facility was affected by the cyberattack as they operate on separate systems to the one that was attacked.
On Twitter, National Grid ESO said that it was aware of the attack and is investigating any potential impact on its own IT networks. The operator has now undertaken a full investigation, and was able to confirm that it felt no impact.
A National Grid Electricity System Operator (ESO) spokesperson told Current±: “We’re aware of a cyber intrusion on ELEXON’s internal IT systems. Our own IT networks, and the operation of our electricity system, are not affected. We have robust cybersecurity measures in place across all our IT and operational infrastructure to protect against cyber threats and ensure we can continue to reliably supply electricity.”
While Elexon is yet to confirm the exact nature of the attack, threat intelligence company Bad Packets reported that the company had been running an outdated version of Pulse Secure, having ran a scan in March that revealed this, according to ZDNet, which left it vulnerable.
Pulse Secure is an SSL VPN server, which is used by companies to allow employees to use internal networks over the internet.
It was suggested that it was a ransomware attack due to the nature of the damage done to the company’s system.
The National Cyber Security Centre (NCSC) identified an arbitrary file reading vulnerability in Pulse Secure known as CVE-2019-11510 in analysis of VPN vulnerability produced in October 2019.
Speaking to Current± regarding the cyberattack on Elexon, an NCSC spokesperson today said: "We are supporting the victim and working with colleagues at the National Crime Agency to understand the impact of this incident."
The instances of cyberattacks in the energy sector has seemingly been increasing in recent times. In April, European energy giant Energias de Portugal (EDP) was hit by a ransomware attack, with attackers using Ragnar Locker ransomware to steal over 10TB of sensitive company files.
In March, the European Network of Transmission System Operators for Electricity reported that it had found evidence of a successful cyber intrusion into its office network. The association, which represents 42 electricity transmission system operators from 35 countries across Europe, did not provide further details regarding the nature of the attack.