First-of-a-kind U.S. grid cyberattack hit wind, solar

By Blake Sobczak | 10/31/2019 07:35 AM EDT

A Utah renewable energy developer was struck by an unprecedented cyberattack that cut contact to a dozen wind and solar farms this spring, according to documents obtained by E&E News under the Freedom of Information Act.

sPower's Pioneer Wind Park in Glenrock, Wyo. Several sPower solar and wind sites experienced communications outages as a result of a cyberattack on Cisco equipment this year.

sPower's Pioneer Wind Park in Glenrock, Wyo. Several sPower solar and wind sites experienced communications outages as a result of a cyberattack on Cisco equipment this year. sPower

This story was updated at 2:55 p.m. EDT.

A Utah renewable energy developer was hit by a first-of-its-kind cyberattack that briefly cut contact to a dozen wind and solar farms this spring, according to documents obtained by E&E News under the Freedom of Information Act.

Salt Lake City-based sPower suffered "denial of service" attacks on March 5 that left grid operators temporarily blinded to generation sites totaling 500 megawatts, the documents show.

Advertisement

Hackers did not cause any blackouts or generation outages, according to sPower, which says it’s the biggest private solar power operator in the United States. The cyberattack took advantage of a known weakness in Cisco firewalls to trigger a series of five-minute communications outages over a span of about 12 hours, according to an emergency report sPower filed with the Department of Energy at the time of the disruption that was not publicly released. Denial-of-service attacks flood target devices or websites with bogus traffic to crash them.

The cybersecurity incident is the first confirmed to have caused "interruptions of electrical system operations," based on DOE records. Experts say the hackers behind the attack may not have known they were affecting the power grid, based on the fact that Cisco firewalls are used in a range of industries and are a popular target of opportunity when left exposed to the internet.

In September, the North American Electric Reliability Corp. posted a document revealing that the attack created blind spots at a grid control center, but it was not known until now which specific company was affected (Energywire, Sept. 6).

"sPower has reviewed log files and has found no evidence of a breach beyond the [denial-of-service] attack," said Matthew Tarduogno, an official in DOE’s Office of Cybersecurity, Energy Security and Emergency Response, in a March 8 email obtained by E&E News. "Additionally, the incident did not have any impacts on operations."

Tarduogno said he was providing DOE’s intelligence officials with updates "and they are ready to investigate any indicators, as appropriate, and have been checking for any related incidents."

A DOE official said in a statement today that while the agency offered to investigate, "the reporting entity did not provide any further data to DOE."

"Additionally, at this time, DOE is not aware of any related incidents in the energy sector," the official said, adding that grid security officials outside the agency also issued a bulletin on the event. "Overall, the incident did not impact generation, the reliability of the grid, or cause any customer outages."

Lara Hamsher, government relations and communications manager at sPower, said in a statement that the company investigated the case and improved its systems since March 5 to "help ensure as much uptime as possible."

"These interruptions had no impact to generation and did not cause electrical system separation," she said in an emailed statement.

‘Pain’ possible

Cybersecurity experts say the March 5 attack underscores emerging dangers to power companies worldwide (Energywire, May 6).

In 2015, hackers knocked out electricity to several hundred thousand people in Ukraine in an unprecedented cyberattack. The attackers, later linked to the Russian government, also swamped their targets’ phone lines with calls in a "telephone denial of service" aimed at hampering recovery. The three power companies hit in that attack managed to restore electricity in a few hours.

"In isolation, impacting network communications is probably not that huge of a deal," said Joe Slowik, principal adversary hunter at industrial cybersecurity firm Dragos Inc."But as a sort of pop-up or amplifying effort, things can get really interesting."

He pointed to the record-smashing electricity demand in Texas this summer as the state experienced a heat wave (Energywire, Aug. 14). Given the region’s heavy reliance on wind power, any communications outages there "would have been a big deal, because that could have resulted in a generation gap that would have led to some pain," Slowik said.

For its part, the sPower wind and solar sites affected by the March 5 cyber event spanned Wyoming, California and Utah, where the company’s 24/7 grid control center and headquarters are located. sPower’s 106.3-MW Solverde project in Lancaster, Calif., and its 80-MW Pioneer Wind Park in Glenrock, Wyo., were among the sites to face communications problems.

sPower is owned as a joint venture between Virginia-based utility AES Corp. and Canadian investment manager AIMCo. Neither parent company responded to requests for comment yesterday.

Wind and solar projects aren’t designed to stop feeding power into the grid if operators lose contact with them. Communications outages of 30 minutes or more are fairly common because of power outages and other glitches, even at much larger grid control centers, and rarely lead to blackouts, based on DOE grid disturbance records.

Still, wind and solar generation sites pose some unique challenges compared with natural gas, coal or nuclear plants that are staffed around the clock.

"They rarely have anyone on-site," said Patrick Miller, managing partner at Archer Energy Solutions. "Any troubleshooting for things like this will often require a fair amount of windshield time for someone or several people. This could easily exacerbate the impacts to incident response and forensic capabilities."

Want insightful, digestible cybersecurity coverage from a trusted source? Sign up for the free weekly cyber news brief from the E&E News reporting team of Blake Sobczak and Peter Behr.