A first-of-its-kind cyberattack on the U.S. grid created blind spots at a grid control center and several small power generation sites in the western United States, according to a document posted yesterday from the North American Electric Reliability Corp.
The unprecedented cyber disruption this spring did not cause any blackouts, and none of the signal outages at the "low-impact" control center lasted for longer than five minutes, NERC said in the "Lesson Learned" document posted to the grid regulator's website.
But the March 5 event was significant enough to spur the victim utility to report it to the Department of Energy, marking the first disruptive "cyber event" on record for the U.S. power grid (Energywire, April 30).
The case offered a stark demonstration of the risks U.S. power utilities face as their critical control networks grow more digitized and interconnected — and more exposed to hackers. "Have as few internet facing devices as possible," NERC urged in its report.
The cyberattack struck at a challenging time for grid operators. Two months prior to the event, then-U.S. Director of National Intelligence Dan Coats warned that Russian hackers were capable of interrupting electricity "for at least a few hours," similar to cyberattacks on Ukrainian utilities in 2015 and 2016 that caused hourslong outages for about a quarter-million people.
The more recent cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming.
"So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker.
Nevertheless, the case turned heads at multiple federal agencies, collectively responsible for keeping the lights on in the face of an onslaught of cyber and physical threats. The blind spots would have left grid operators in the dark for five-minute spans — not enough time to risk power outages but still posing a setback to normal operations.
NERC, DOE, the Federal Energy Regulatory Commission and the Western Electricity Coordinating Council, which monitors and enforces grid security in the western United States, have all declined to share the name of the utility involved in the March 5 incident or other details that they warn could jeopardize the reliability of the grid.
"Lessons learned are an anonymized resource that identifies the lessons and contains sufficient information to understand the issues, and show the desired outcome," NERC spokeswoman Kimberly Mielcarek said in an emailed response to questions, adding that the documents can be based on a "single event" or general trends.
The 'biggest problem'
The latest NERC "lesson" calls on utilities to add additional defenses beyond a firewall, which is designed to block malicious or unwanted web traffic from spilling into power companies' sensitive control networks.
In the March episode, a flaw in the victim utility's firewalls allowed "an unauthenticated attacker" to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility's control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites "raised suspicion."
After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of "an external entity" — a hacker or hackers — interfering with the devices.
NERC stressed that "there was no impact to generation." Under federal rules, grid operators aren't normally required to report communication outages unless they last for a half-hour or more at a major control center. The fact that hackers, and not some more ordinary source, had caused the temporary blind spots in the incident prompted the victim's DOE filing.
"I'm sure [grid] communications have been disrupted by backhoes in the past," Wightman pointed out. He added that grid operators can pick up the phone and call remote sites to check on operations if normal lines of communication go down.
Wightman said the "biggest problem" was the fact that hackers were able to successfully take advantage of a known flaw in the firewall's interface.
"The advisory even goes on to say that there were public exploits available for the particular bug involved," he said. "Why didn't somebody say, 'Hey, we have these firewalls and they're exposed to the internet — we should be patching?'"
Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers. NERC declined comment on whether the March 5 incident would lead to any enforcement actions, though the nonprofit has levied multimillion-dollar cybersecurity fines against power companies in the recent past. Late last month, NERC announced it had reached a $2.1 million penalty settlement with an unnamed utility — also based out West — over a spate of cybersecurity violations dating back to 2009. Fines for breaking critical infrastructure protection rules are reported to FERC for final approval.
Want insightful, digestible cybersecurity coverage from a trusted source? Sign up for the free weekly cyber news brief from the E&E News reporting team of Blake Sobczak and Peter Behr.