Last week, the U.S. power sector marked a sober milestone: an anonymous Western utility became the first to report a malicious "cyber event" that disrupted grid operations.
The hack itself occurred two months ago, on March 5, when a "denial-of-service" attack disabled Cisco Adaptive Security Appliance devices ringing power grid control systems in Utah, Wyoming and California, according to multiple sources and a vague summary of a Department of Energy filing.
There were no blackouts, no harm to power generation and evidently very little effect on the Western transmission grid, according to multiple sources and officials. The most direct impact was likely a temporary loss of visibility to certain parts of the utility’s supervisory control and data acquisition (SCADA) system, though all major transmission operators in the regions affected denied having been hit by the denial-of-service attack.
The "cyber event that causes interruptions of electrical system operations," as the attack was categorized in the jargon of DOE electric disturbance forms, made waves in critical infrastructure security circles as a first-of-its-kind case study.
No U.S. electrical utility is known to have experienced any disruptive cyberattack in the past, a surprising fact given that utilities routinely find themselves in the crosshairs of the world’s most sophisticated hackers and can face millions of more run-of-the-mill hacking attempts every day (Energywire, July 20, 2018).
Fears that a bona fide cyberattack would be blown out of proportion among the general public have fueled a culture of secrecy around anything filed under "cyber" in the electricity sector.
At the most recent GridEx security exercise in 2017, utilities practiced how word would get out about a blitz of simulated cyber and physical attacks. The exercise modeled how misinformation about the incident could spread quickly over social media.
"The grid runs everything. Forget how robust it is. How many other critical infrastructure sectors rely on electricity?" said John Hultquist, director of intelligence analysis at cybersecurity firm FireEye Inc.
"It’s the best way to cause cascading effects across society — the public knows that. They don’t know anything about how hard that would be."
Utility executives have pointed to the bulk power grid’s complexity — the United States really has three separate "interconnections" linked up to thousands of utilities — as contributing to its defense against new hacking threats. Large power companies practice what it would take to run the grid in "manual mode" if hackers succeeded in blinding operations centers or hijacking digitized equipment, according to Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, in congressional testimony this February.
"Our companies take a ‘defense-in-depth’ approach with several layers of security strategies, which are designed to eliminate single points of failure," he said, less than one week before the anonymous Western grid operator was hit by the denial of service.
U.S. grid operators picked up on the importance of manual backstops in the wake of a December 2015 cyberattack on Ukraine’s power grid. In that event, hackers briefly knocked out power to customers of three distribution utilities in western Ukraine for several hours — the first time a cyberattack is known to have caused a blackout anywhere in the world.
The three utilities targeted by the attack — Prykarpattyaoblenergo, Kyivoblenergo and Chernivtsioblenergo — were able to bring the lights back on quickly by sending workers to flip high-voltage circuit breakers by hand.
In the Ukraine hack, the utilities not only lost their visibility but also ceded control of their networks to remote attackers later linked to Russia. The hackers knew whom they were hitting and paired their grid hijacking with a flood of telephone calls to overwhelm the utilities’ phone networks and hamper restoration.
The more recent "denial of service" on U.S. Cisco equipment isn’t known to have involved any hostile takeover of operational networks. It’s possible the hacker or hackers in that case didn’t even realize they were interfering with power grid equipment, sources said, perhaps having found the Cisco firewalls exposed online via specialized internet search tools.
While the incident marked a first in the annals of DOE grid cyber events, loss of view into utilities’ control systems is a frequent hazard, whether from power outages or communications glitches.
The danger "depends on how much SCADA visibility is lost," noted Patrick Miller, managing partner at Archer Energy Solutions. "The system is more like an ecosystem where you can infer what is happening in one area by the way another reacts."
DOE electric disturbance reports are littered with reports of "complete loss of monitoring or control capability" at utility control centers, the vast majority of which never led to any power outages.
It’s not even clear the March 5 event led to a complete loss of visibility during its 9 a.m. to 7 p.m. duration. As Miller pointed out, many utilities maintain alternative means of control system communications in case of emergency.
The Department of Energy and the Federal Energy Regulatory Commission are both restructuring rules for utilities to report grid cyberattacks to regulators. FERC commissioners, frustrated by years of radio silence from utilities despite a stream of warnings about growing cyberthreats, moved last year to broaden the definition of what constitutes a reportable incident.
The March 5 event is listed publicly because it cleared a certain bar of severity, said Sam Feinburg, executive director of Helena, which is working on a "Shield Project" to boost U.S. grid defenses. "There are undoubtedly many more such events that don’t breach that bar and therefore don’t become public knowledge."
Feinburg said such events, even when carried out by unsophisticated hackers, don’t get enough attention.
"[Grid] infrastructure is getting more complicated, and because of that, it’s getting harder and harder to defend each part of it," he said. "The ability to conduct these attacks is only being distributed across a wider and wider set of folks."
"It does not take a sophisticated attacker to deal damage to critical electrical infrastructure, and that’s scary," Feinburg said.
Want insightful, digestible cybersecurity coverage from a trusted source? Sign up for the free weekly cyber news brief from the E&E News reporting team of Blake Sobczak and Peter Behr.