A March 5 cyberattack of U.S. wind and solar assets is back in the news, with fresh documents helping shed light not just on the extent, but also the simplicity of the first-of-its-kind intrusion. Cybersecurity experts say it reveals a utility sector not sufficiently vigilant, and failing to employ the most simple fixes.
The North American Electric Reliability Corporation (NERC) in September revealed details about the denial-of-service (DoS) attack, urging utilities to keep firewalls patched and up to date, but held back the name of the impacted entity. E&E News last week revealed, based on documents obtained through a public records request, the victim was sPower.
Owned by AES and AIMCo, sPower bills itself as the United States' largest private owner of operating solar assets. Though there was no loss of generation, the March cyberattack impacted the company's visibility into about 500 MW of wind and PV across California, Utah and Wyoming.
The attack is widely being called the "first" on renewable generators, though it is not clear the grid intrusion was entirely intentional. Attackers exploited a known vulnerability in an unpatched Cisco firewall, causing a series of reboots over 12 hours. But intruders did not press the attack further and E&E reports it is unclear they understood the firewall was connected to the energy grid.
Security experts say the attack is a wake-up call for the electric sector and a sign that clear vulnerabilities remain.
"The news begs a bigger question about cybersecurity regulations for the energy industry," Phil Neray, vice president of security firm CyberX, said in an email. "The manner in which it was carried out was very basic — exposing some essential weaknesses in the way energy companies currently patch and monitor their network devices."
Utilities must do basic security maintenance
CyberX released a report last month that concluded utility networks and unmanaged devices are "soft targets for adversaries." Many utilities use outdated operating systems and unencrypted passwords that leave them vulnerable, the firm found.
That means in some instances utilities are not even maintaining the most basic of protection: keeping systems up to date.
"The simplicity of this attack should make generators sit up and take notice."
Jason Haward-Grau
Chief information security officer, PAS Global
Neray said the grid is made vulnerable by network appliances like the ones that were compromised in the attack on sPower: directly exposed to the internet, unpatched and with limited malware capabilities. "We’ve seen attackers go after unpatched network devices in the past," he said.
The March 5 attack is "one more example .... that cyber risk in the industrial space is not only real, but operant," Jason Haward-Grau, chief information security officer at cyber firm PAS Global, said in an email.
"The simplicity of this attack should make generators sit up and take notice," Haward-Grau said. "This was a ‘simple’ IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available."
The documents obtained by E&E show that in the aftermath of the attack, sPower did deploy a firmware update to its firewall and no further issues were seen. The company said there was no intrusion beyond the DoS attack.
Information about the March 5 attack was included in a Department of Energy Form OE-417 which details an "electric emergency incident and disturbance." The attack, eight months ago, was classified as one that "could potentially impact electric power system adequacy or reliability."
Response will be key with growing frequency of attacks
Cybersecurity experts say attacks on the electric sector are becoming more common, and that trend will continue along with a growing sophistication.
"The frequency of attacks are continuing to grow and digitalization and hyper-connectivity are only going to expand the risk," Haward-Grau said. "Hackers are getting more and more sophisticated about industrial operations attacks."
There is also a clear need for response and recovery planning capabilities, said Haward-Grau, despite the specifics of the March attack where a firewall patch provided quick respite. "This could have been significantly worse had the attacker understood what they were dealing with and gone further with their attack," he said.
It is "highly unlikely that attackers could take down the entire U.S. power grid."
Phil Neray
VP, CyberX
NERC is scheduled to hold its biennial GridEx event next week, which simulates a grid attack in order to give the utility sector an opportunity to run through response protocols. While the March attack did not impact grid operations, hackers have previously disrupted the Ukraine grid and experts say it may be an inevitability for the United States.
"Impacting operations is only a matter of time," Haward-Grau said. "If a simple firewall crash can do this, imagine what a dedicated and skilled attacker can do. ... the emphasis needs to shift to not just identifying an attack but equally important responding to one."
It is "highly unlikely that attackers could take down the entire U.S. power grid," CyberX's Neray said. The bulk system has been specifically designed to eliminate single points of failure. However, he said it is not difficult to imagine other scenarios.
"It’s easy to imagine how determined nation-state attackers could target specific population centers to cause major disruption and chaos," Neray said. He pointed to the Ukrainian grid attacks of 2015 and 2016, which left hundreds of thousands without power.
Last year, the U.S. Department of Homeland Security concluded that Russian government cyber actors had targeted and compromised "government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."
"This is not completely theoretical," Neray said. "Organizations should be on high-alert for similar incidents."
