How can a single grid cyber event span Wyoming, Utah and California?
I puzzled over that question as soon as I spotted a March 5 cyber incident in Department of Energy records earlier this year. There aren't many grid operators that cover that kind of geographic range. The Western Area Power Administration? Berkshire Hathaway Energy, perhaps? PacifiCorp, somehow?
I contacted them all, and I got the same reply: Wasn't us.
Documents newly released to E&E News under the Freedom of Information Act have cleared up the mystery.
Utah-based sPower has wind and solar power generation assets spread across those three states and fell victim to a denial-of-service attack that briefly brought down communications to those sites while stopping short of interrupting electricity, according to a DOE OE-417 "electric emergency and incident disturbance report."
OE-417 reports offer one of the best public glimpses at the panoply of disruptions that can assail U.S. power providers, from winter storms to fuel shortages.
"Cyber events" are exceedingly rare in the annals of OE-417 history. Only two are ever documented to have actually brought about a bona fide grid disruption, with the first having been caused by a utility employee inadvertently gaining access to a live operational network in Michigan.
That makes the cyber event registered on sPower a first-of-its-kind event — even though, as far as cyberattacks go, it was a pretty basic threat.
Denial-of-service attacks tend to be somewhat ham-fisted affairs, and this one was no different, taking advantage of a known vulnerability in Cisco firewalls to force any of the unpatched, internet-facing devices to reboot. It's not even clear the hacker or hackers behind the March 5 event knew their malicious activity would spill over into any solar and wind farms out West.
Officials at the North American Electric Reliability Corp., which sets and enforces mandatory grid cybersecurity standards and manages the power sector's main information-sharing hub for hacking threats, thought it worth getting the word out about the March 5 event.
NERC not only issued a notice to utilities in the spring — it followed up with a "Lesson Learned" document on risks posed by firewall vulnerabilities.
The main takeaway? Utilities, patch your devices, and better yet — keep them off the public internet.
— Blake Sobczak
Bits and bytes
A Utah renewable energy developer was struck by an unprecedented cyberattack that cut contact to a dozen wind and solar farms this spring, according to documents obtained by E&E News under the Freedom of Information Act. E&E News
President Trump is eyeing an executive order directing the federal government's power marketing administrations to better consider grid supply-chain security, two sources familiar with the order told E&E News. E&E News
How the cybersecurity firm Tiversa went from rapid growth and golden boy status to unraveling under the weight of a federal criminal probe. New Yorker
Two men pleaded guilty in federal court to the charges of hacking and extortion conspiracy that landed Uber and LinkedIn in data breach scandals. The New York Times
Despite the "clear and pervasive" danger of ransomware, Congress is totally stumped. Wired