The North American Electric Reliability Corp. has published details on the attack behind the first known disruptive "cyber event" for the U.S. power grid.
First publicly revealed in May by the U.S. Department of Energy, the incident, the first-of-its-kind, consisted of a 10-hour cyberattack against unnamed utilities in Kern County and Los Angeles County, Calif.; Salt Lake County, Utah; and Converse County, Wyo. The identity of the targets of the March 5 attack remains a secret.
The unsophisticated attempt to take down a computer network by overwhelming servers with a flood of traffic from multiple sources, referred to as a distributed-denial-of-service attack, did not cause any blackouts or impact generation. However, it did cause brief communication outages for less than five minutes between a utility's "low-impact" control center and multiple remote generation sites and between equipment at these sites.
In a recent "Lessons Learned" analysis bulletin, the grid reliability watchdog disclosed further information on the March 5 attack. It also warned the power sector of the risks posed by firewall firmware vulnerabilities, including the failure to patch known vulnerabilities as was the case with the March 5 attack.
According to NERC's analysis of March 5 event, the attackers exploited a known firewall vulnerability in the web interface of a vendor's firewall and caused unexpected reboots of a single entity's "outer security" firewall devices, which led to the brief communication outages. NERC said the device reboots, which occurred over a period of 10 hours, prompted the attacked entity to investigate after which it discovered that the firewall manufacturer had already previously released a firmware update to address the exploited firewall vulnerability.
While monitoring for adverse effects, the utility deployed the firmware patch immediately. It first did so on a firewall within a noncritical environment at the entity's control center, and then at an operational generation site that night, before deploying the update to all remaining bulk electric system assets that had common hardware with the firmware vulnerability.
"Given that a firmware update to address the exploited vulnerability had been released prior to the event, the entity's process for assessing and implementing firmware updates was reviewed," NERC relayed. "Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software."
NERC noted that the attacked entity was already in the process of developing internal procedures to support constant compliance monitoring of vendor firmware updates at the time of the attack. "Additionally, the entity now utilizes firewall rules that restrict allowable traffic to the minimum required to operate the assets," NERC said.
Even in cases involving low-impact bulk electric system assets, NERC recommended that entities closely monitor and quickly install vendor firmware update releases, among other best practices for cybersecurity.
"Firewall firmware updates need to be reviewed as quickly as possible after release for risk and applicability," NERC added. "Testing in a development (or 'sandbox') environment prior to deployment is the best way to check for the patch's potential to introduce new problems."
The identity of the targets of the March 5 attack remains a secret, and NERC has not accused any entity of violating mandatory standards. However, another unnamed utility, widely reported to be Duke Energy Corp., was fined $10 million by NERC in January for over 127 alleged violations, including cybersecurity lapses and failure to install available software updates.
In signing off on that penalty on Aug. 29, the Federal Energy Regulatory Commission declined to publicly name Duke as the recipient of the $10 million cybersecurity fine. However, NERC and FERC staff on Aug. 27 released a proposal to publicly name entities that violate mandatory critical infrastructure protection reliability standards. Comments on that proposal are pending.
