In early September 2019, the North American Electric Reliability Corporation (NERC) released details on a cyberattack targeting the US power grid that occurred on 5 March 2019. This incident represents the first attack of its kind to target US based power utilities. Although the attack did not cause any blackouts, it did cause disruptions resulting in communication blind spots between control centers and generation sites in the affected areas.[1]
Details
The North American Electric Reliability Corporation (NERC) recently released a report on a cyber incident that occurred on 5 March 2019. NERC is a non-profit organization that works to ensure the reliability of the North American bulk power system and “assure the effective and efficient reduction of risks to the reliability and security of the grid.”[2] Cyberattacks are becoming an increasing concern for NERC and the DOE, especially after the successful 2015 cyber attacks on Ukraine’s power grid that resulted in outages lasting several hours.[3] This 5 March incident came just two months after former National Intelligence Director Dan Coats warned that Russian hackers now had the capabilities to disrupt power utilities in the US for at least a few hours.[4] As a result of these attacks, it is likely that threat actors, particularly cyber terrorists, will continue to view power utilities as an attractive and vulnerable target for causing maximum operational disturbance.
In a document titled “Lessons Learned: Risks Posed by Firewall Firmware Vulnerabilities,” NERC outlined the details of the cyberattack. According to the report, an unauthenticated remote attacker was able to exploit a vulnerability in the web interface of a vendor’s firewall and cause reboots of the devices that resulted in a denial of service (DoS) condition. These unexpected reboots resulted in brief communications outages (i.e., less than five minutes) between field devices at remote, low-impact generation sites and between the sites and a low-impact control center.[5] These firewall reboots and the resulting communication outages occurred over a 10-hour period. In response to the attack, mitigations were deployed overnight by patching the vulnerability on the affected devices, and pushing firmware updates to other devices possessing the vulnerability. The sites involved in this attack have also deployed blacklisting to restrict allowed traffic to only that which is necessary for site operations.
NERC has not released the names of the affected utilities, but has disclosed that they were linked to parts of the power grid in California, Utah, and Wyoming. A senior analyst at Dragos, an industrial cyber security company, said that the attack does not appear to be specifically targeted or to have been carried out by a skilled threat actor.[6] However, even if this attack was not targeted or sophisticated, it is concerning that even low-level attacks by inexperienced actors are capable of accessing power grid systems and causing disruptions. Communication blind spots like the ones caused by this attack could have left systems vulnerable to even more dangerous attacks, in addition to causing operation setbacks.
Conclusion
This cyberattack on US power utilities shows the alarming vulnerability of the software and devices they utilize, which are becoming more and more reliant on the internet and network interconnectivity. NERC is now calling for increased security compliance by US utility companies in order to reduce the impact of cyber-attacks. It is recommending that industry entities monitor firmware updates and deploy them as soon as they are released, reduce the attack surface by limiting internet-facing devices, use VPNs, and use access control lists (ACLs) to filter inbound traffic.[7]
Wapack Labs offers analytic monitoring tools, such as RedXray, as well as weekly blacklists to help defend against network attacks. Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Download Report: TR-19-255-001_Attack_on_US_Power_Grid.pdf
[1] https://www.eenews.net/stories/106111128
[2] https://www.nerc.com/Pages/default.aspx
[3] https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
[4] https://www.techtimes.com/articles/245271/20190908/first-of-its-kind-cyberattack-hits-us-power-grid-report.htm
[5] https://www.eenews.net/assets/2019/09/06/document_ew_02.pdf
[6] https://www.eenews.net/stories/1061111289
[7] https://www.consumeraffairs.com/news/us-power-grid-cyber-incident-was-caused-by-hackers-rebooting-firewalls-090919.html