‘Cyber event’ disrupted U.S. grid networks — DOE

By Blake Sobczak | 04/30/2019 07:17 AM EDT

A report posted by the Department of Energy found that a potentially unprecedented “cyber event” hit grid operations in the western United States last month. Who was behind it?

A Department of Energy report found that an unusual cyber incident interrupted grid operations in the western United States last month.

A Department of Energy report found that an unusual cyber incident interrupted grid operations in the western United States last month. Chris Hunkeler/Flickr.

This story was updated at 12:20 p.m. EDT.

A "cyber event" interrupted grid operations in parts of the western United States last month, according to a cryptic report posted by the Department of Energy.

The March 5 incident lasted from 9 a.m. until nearly 7 p.m. but didn’t lead to a power outage, based on a brief summary of the electric disturbance report filed by the victim utility.


If remote hackers interfered with grid networks in California, Utah and Wyoming, as the DOE filing suggests, the event would be unprecedented. A cyberattack is not known to have ever disrupted the flow of electricity anywhere in the United States, though Russian hackers briefly cut off power to parts of Ukraine in 2015 and again in 2016.

DOE uses a broad definition of "cyber event," describing it as any disruption to an electrical system or grid communication network "caused by unauthorized access" to hardware, software or data. That leaves open the possibility that a utility employee or trespasser, rather than a remote hacker, triggered the March 5 event.

In January 2018, for instance, Michigan utility Consumers Energy filed the same type of DOE notice when an employee in training accidentally caused a blackout for about 15,000 people (Energywire, March 8, 2018).

"There was no malicious intent" in that case, a spokeswoman said at the time, and Consumers Energy brought the lights back on within a few hours.

U.S. utilities are required to notify DOE within one hour of any successful cyberattack on their systems. Power companies that fail to file an OE-417 electric disturbance report can be fined up to $2,500 per day, although DOE has never issued civil or criminal penalties related to the form. The document is supposed to include a high-level overview of the incident, whether it be a hurricane-related outage or a physical attack on the facility. A second, more closely guarded portion of the form contains a detailed summary of actions taken to resolve the incident and "preliminary results from any investigations," per DOE guidelines.

DOE didn’t respond to request for comment. A spokesman for the Federal Energy Regulatory Commission, whose analysts routinely access OE-417 data, said "the commission was aware of the situation" but declined to pass on any additional information. A spokeswoman for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency deferred comment to DOE. A spokeswoman for the North American Electric Reliability Corp., which sets and enforces physical and cybersecurity standards under the oversight of FERC, did not respond to a request for comment.

The Western Electricity Coordinating Council, the NERC affiliate responsible for monitoring grid reliability and security across western North America, declined to share additional context.

WECC’s events analysis team "confirmed it was a single entity involved," Communications Manager Julie Booth said in an email. "For security purposes, we cannot disclose any further information beyond what has already been made public."

Relatively few organizations would have an electricity service footprint that spans Salt Lake County, Utah; Converse County, Wyo.; and both Los Angeles and Kern counties in California.

Peak Reliability, a Western transmission operator, spans 14 states including Utah, Colorado and California. A spokesperson for that nonprofit reliability coordinator did not immediately respond to a request for comment.

The Western Area Power Administration, one of four federally owned power marketing organizations in the United States, similarly maintains grid assets in those three states. A WAPA spokeswoman said the agency didn’t file the report.

Berkshire Hathaway Energy, through its subsidiaries PacifiCorp and BHE Renewables LLC, would also fit the vague description included on the OE-417 form.

A spokeswoman for Berkshire Hathaway Energy said none of the firm’s subsidiaries were affected by the event.

Want insightful, digestible cybersecurity coverage from a trusted source? Sign up for the free weekly cyber news brief from the E&E News reporting team of Blake Sobczak and Peter Behr.