A cyberattack on the U.S. energy grid has just come to light, so to speak, which disrupted plant visibility at Utah-based sPower back in March.
sPower, a Utah-based wind and solar provider, began experiencing a series of lost connections between its main control center and remote power-generation sites. The brief, intermittent periods of downtime were determined to be the result of a denial-of-service (DoS) attack, according to documents obtained via the Freedom of Information Act (FOIA) by E&E News, a utility-industry trade publication. That operational disruption makes the attack the first of its kind in the country.
“This disrupted the organization’s ability to monitor the current status of its power-generation systems. The utility industry refers to this type of incident as ‘loss of view,’” explained Phil Neray, vice president of industrial cybersecurity at CyberX, in an interview with Threatpost.
In the FOIA documents, Matt Tarduogno, an analyst with the Department of Energy, said that the cause of the lost connections was traced to firewall reboots. It turned out that the adversaries were using a vulnerability that lingered on unpatched in the power company’s internet-facing Cisco firewalls, in order to crash the appliances. He said that the company rolled out Cisco’s recommended firmware updates to address the bug.
E&E reported in April that a cyber-incident had occurred, but the name of the provider and attack details were just revealed this week. sPower did not return a request for comment from Threatpost.
While the company’s power-generation capabilities weren’t interrupted, the event is notable because of the implications for future attacks, according to researchers.
“If an attacker wanted to shut down parts of the grid, one of their first steps might be precisely this loss-of-view step, because it would leave utility operators ‘blind’ to subsequent disruptive actions the attackers would take, such as switching relays off to halt the flow of electricity,” Neray told Threatpost. “This loss-of-view approach is similar to the approach taken in the Stuxnet attacks, one of the first known cyberattacks on industrial control systems.”
Jason Haward-Grau, CISO at PAS Global, said that the utility essentially dodged a bullet.
“If a simple firewall crash can do this, imagine what a dedicated and skilled attacker can do,” he said in an emailed comment. “This highlights the need for effectively understanding your topology and its connections, this has never been more important than today, if you don’t know what you have, where it is, what vulnerabilities it has and how it is configured you are already operating at a disadvantage that a motivated attacker will be happy to exploit.”
The sPower attack was not on the same order of magnitude as the 2015 attack on Ukraine’s power grid, Stuxnet or other industrial control systems attacks that have been aimed at disruption, but it was the closest that adversaries have gotten to compromising operational technology at a utility in the U.S. (though Iranian hackers in 2015 infiltrated the control systems of a dam in upstate New York).
Grau said that the operational capabilities of industrial facilities are at increasing risk as digitization and “smart utility” approaches take more of a central role in those types of businesses – the mandate is shifting to driving efficiencies and consolidating control rooms, he said.
“They will rely on integrated IT networks to function (this will bring IT and OT together in new and likely different ways),” he said in an emailed comment. “This kind of attack shows that the frequency of attacks are continuing to grow and digitalization and hyper-connectivity are only going to expand the risk and accelerate the frequency of attacks because hackers are getting more and more sophisticated about industrial operations attacks (the old ‘security by obscurity’ is gone if it ever existed!).”
Neray told Threatpost that he agrees that as the intersection of IT and OT brings increased connectivity between the cloud, business systems and plant networks, utilities will need to apply IT defenses to the OT world – which is a cultural shift for the segment.
“This incident highlights the need for stronger controls, such as strict attention to patching of internet-connected devices, along with multi-layered defenses like granular network segmentation and continuous monitoring to quickly detect unauthorized or suspicious activities before adversaries can cause real damage to your operations,” he said.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.