‘Denial of service’ attack caused grid cyber disruption: DOE

By Blake Sobczak | 05/02/2019 07:02 AM EDT

Details are emerging about an unprecedented “cyber event” reported this week that disrupted Western grid networks. But officials are keeping quiet about which utility was hit, and why.

Cyberattacks like the one the Department of Energy reported this week on the Western grid are likely to occur again, according to experts.

Cyberattacks like the one the Department of Energy reported this week on the Western grid are likely to occur again, according to experts. Pixabay

A recent cyber disruption to the U.S. grid involved a "denial of service condition" at a Western utility, according to a Department of Energy official.

On March 5, an unidentified power company fell victim to a "cyber event" that interfered with operations but stopped short of causing blackouts, according to a DOE filing this week.

A DOE official confirmed yesterday that the event "did not impact generation, the reliability of the grid or cause any customer outages."

Advertisement

But the denial-of-service attack was significant enough for the utility to file an electric disturbance report with DOE — the same forms reserved for major interruptions like storms, physical attacks or fuel shortages (Energywire, April 30).

Denial-of-service, or DOS, cyberattacks overwhelm target networks with bogus traffic, making it difficult for victim computers to operate normally. Distributed-denial-of-service (DDOS) attacks harness the power of hacked "botnets" of computers to throw at hackers’ targets, while rarer telephony-denial-of-service (TDOS) events seek to block incoming and outgoing calls.

In December 2015, suspected Russian hackers used stolen login credentials and a TDOS attack to hit three distribution utilities in Ukraine, briefly cutting the lights to about a quarter-million people in a first-of-its-kind cyberattack (Energywire, July 18, 2016).

The March event doesn’t appear to be part of such a coordinated hacking campaign, based on the limited information disclosed by DOE and several organizations in the anonymous utility’s service area of Utah, Wyoming and Southern California. Still, a malicious cyberevent wasn’t previously known to have interfered with U.S. grid operations, making the March 5 disclosure significant.

The DOS event took advantage of a known software vulnerability that required a previously published patch to fix, according to the DOE official.

In other words, with a patch in hand, it wouldn’t have been difficult for power companies to identify and update any computer systems potentially at risk. DOE didn’t clarify which equipment — whether routers, work stations or even phones — were affected by the denial of service.

Denial-of-service attacks frequently target internet-facing devices or services — one record-setting DDOS interrupted access to popular sites like Twitter and Grubhub in fall 2016. In order for a DOS to have triggered an electric disturbance alert, it likely would have hit something more significant, but still externally facing, industry sources speculated: perhaps firewalls or routers on the boundary of a grid network. While a cyberattack on such equipment wouldn’t disrupt the flow of electricity, it could force operators to pause or redirect certain activities at affected facilities to allow for an investigation.

The Electricity Information Sharing and Analysis Center, the electric sector’s hub for getting the word out on the latest threats and vulnerabilities, issued an alert with information to mitigate the threat, according to multiple sources.

The DOS event reflects a concerning uptick in attacks — sophisticated or not — targeting critical infrastructure facilities worldwide, according to Lior Frenkel, CEO and co-founder of industrial cybersecurity firm Waterfall Security Solutions. Tools once exclusively available to nation-state hacking teams have passed into the hands of criminal organizations and the general public, he observed.

Grid cyberevents like that of March 5 "are bound to happen at an increasing rate," he warned. "Targets need to understand the world has changed."

The utility targeted in the March 5 DOS attack hasn’t been identified.

State utility regulators in Wyoming, Utah and California have all declined to share additional details or failed to respond to requests for comment.

The Western Electricity Coordinating Council, the regional grid overseer for the four counties listed in the vague DOE filing, said via a spokeswoman that "we do not comment about individual entities."

Federal officials have been similarly tight-lipped. The North American Electric Reliability Corp., which manages the industry’s threat information sharing center, has yet to comment on the case, while the Department of Homeland Security deferred comment to DOE. The Federal Energy Regulatory Commission said it was aware of the case but declined further comment.

Meanwhile, three electric sector organizations with operations spanning Utah, California and Wyoming have all denied filing the original OE-417 report on March 5.

Those organizations are Peak Reliability, which conducts real-time monitoring and control of the Western transmission grid; the Western Area Power Administration, one of four federally owned power marketing administrations that generates, transmits and sells electricity across 15 states; and Berkshire Hathaway Energy, whose subsidiaries Rocky Mountain Power and BHE Renewables LLC have significant power production and distribution footprints ranging from Los Angeles to Converse County, Wyo.

Want insightful, digestible cybersecurity coverage from a trusted source? Sign up for the free weekly cyber news brief from the E&E News reporting team of Blake Sobczak and Peter Behr.