In 2017, Næstved District Heating experienced a cyberattack. After this incident, the district heating company has taken its IT security to a higher level to minimize future attacks.
By Marianne Holstein Lindorff, Marketing Manager, ABB A/S
In 2017, Næstved District Heating Company (NDH) experienced a cyberattack. Suddenly, two servers couldn’t be accessed because the files on the servers were encrypted and locked. When trying to open the encrypted files, a message came up:
“PAY RANSOM BEFORE REACCESSING FILES.”
– Fortunately, the hackers had not gained access to our operationally critical systems, so we still had full control over our district heating distribution. We don’t know how the hackers managed to infect our servers, but luckily, we were more frightened than hurt at the end of the day. Nothing critical destroyed, and we could continue our operations, as usual, says Jens Andersen, director at NDH.
Today, Jens Andersen calls the cyberattack a huge wake-up call.
– We are experts in district heating – not in cybersecurity. Therefore, we rely heavily on our partners like ABB, who delivered our control system.
Task force and professional hackers
NDH fulfilled all IT security protocols and requirements. However, in the wake of the event, the company chose to set up a task force with external IT security experts’ participation. They helped to review the existing system to increase the security and prepare NDH for possible future cyberattacks.
After the process of upgrading its IT preparedness, NDH hired a group of professional “hackers” from a security company to test and validate the robustness of the system.
– They came back with a long list of “holes” in our systems, which still posed a risk. We had to go back to our partners and suppliers and close the gaps as soon as possible. Thus, today we have a much better defense against cyberattacks. Still, I dare not say that we are 100% safe, explains Jens Andersen, and continues: “We were lucky, but it is not certain that everyone is equally lucky. So get your cybersecurity tested,” encourages director Jens Andersen, Næstved District Heating.
Important to come forward
NDH is commended for handling the cyberattack by Michael Noer, Sales Manager at ABB:
– I find it very professional and responsible that NDH is telling the public about their experiences. Many companies are reluctant to speak about such attacks. Still, it is essential to do so for other companies to learn and thus build better IT security, says Michael Noer.
1 million DKK on extra IT security
The consequences of the cyber-attack on NDH have been extensive. Up to DKK 1 million has so far been invested in extra IT security on both hardware and software. Among other things, an agreement is entered for ongoing software patches.
Besides, stricter employee behavioral guidelines have been introduced to minimize the risk of the “human factor,” compromising the company’s IT security. The same goes for external partners’ possibilities to remotely access the system. Similarly, the employees have now been trained in purely manual operations for a worst-case scenario.
‘Not everyone can be so lucky’
Looking back, Jens Andersen encourages the district heating companies to take the threats seriously – and not overrate their own IT security.
– I will not be surprised if many other utilities will experience the same vulnerability as we did. We thought we had an adequate defense, but we realized we didn’t. I can only recommend other companies to have their cybersecurity tested not to risk having their ‘security of supply’ affected. We were lucky, but it is not certain that everyone is equally fortunate. So, remember to get your safety tested, encourages Jens Andersen.
The 2017 attack was reported to the police, but the hackers’ identity is still unknown to this day. Exactly how the hackers managed to infect two of the servers at NDH is also still a mystery.
Q & A with cyber security expert
Benny Hansen, digitalization and cybersecurity lead at ABB Danmark, explains how to reduce the risk of cyberattacks.
How does a hacker typically breach a network?
– People tend to view plants and factories as closed systems, but the reality is that there are many ways in which intruders can slip inside the door. There are several open gates towards the world wide web – for instance, remote access, inbound and outbound files, iPads, and other tablets with access to both the internet and the control system.
The lack of proper patch updates is often considered a massive security breach. How often should I update my patches?
– In general, patches should be updated more often than current standard practice in the industry. Based on the current threat assessment, I recommend that patches are updated at least 12 times a year – and not just once every three months.
What other issues should I pay close attention to?
– Primarily, system components like firewalls, antivirus programs, network segmentation, webcams, older firmware, not adequately updated, and open gates in old hardware like switches, USB ports, and apps.
How can hackers take advantage of these vulnerabilities?
– Basically, hackers exploit software and hardware, which is not up-to-date, or use the fact that employees sometimes open e-mails containing a malicious link. Or, thirdly, the breach can happen via service technicians or other third-party providers. They unintentionally infest the system with malware. A breach can lead to folders and file structures being encrypted by the hackers.
What should I do if I experience a hacker attack?
– You should never trust the hackers to decrypt your files nor pay a ransom. Instead, you should ask your IT control system supplier to gain an overview of what has happened. Afterward, you should use your cybersecurity action plans and procedures to reinstall the backup system and restore systems at hand and return to normal virus-free operations.
How can we, as a district heating company, minimize the risks of cyberattacks?
– For one, you can make sure to update your software and hardware accordingly. Secondly, ensure that all action plans and procedures are up-to-date and that the employees are properly trained. Thirdly, the management’s responsibility is to provide adequate resources allocated to handling these cybersecurity threats. It will always be much more expensive and time-consuming to get the plant up and running again after an attack.
Facts about Næstved District Heating
- Established in 1965
- 5,400 customers
- 18 employees
- 98% of the heat comes from waste incineration
- 2% from natural gas
- 55% of Næstved is supplied with district heating (DH)
- The DH network in Næstved is still expanding, and customers are expected to increase by 30% in five years