Spring Cyberattack on US Power Grid ‘Probably Just Some Script Kiddie’

The electric utility non-profit NERC has posted a “Lessons Learned” document detailing a March 5th incident that Environment & Energy News calls “a first-of-its-kind cyberattack on the U.S. grid“. While it didn’t cause any blackouts — it was at a “low-impact” control center — NERC is now warning power utilities to “have as few internet facing devices as possible” and to use more than just a firewall for defense.

puddingebola shared this report from Environment & Energy News: The cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming. “So far, I don’t see any evidence that this was really targeted,” said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. “This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie,” he said, using a term for an unskilled hacker…

In the March episode, a flaw in the victim utility’s firewalls allowed “an unauthenticated attacker” to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility’s control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites “raised suspicion.” After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of “an external entity” — a hacker or hackers — interfering with the devices. NERC stressed that “there was no impact to generation….”

Wightman said the “biggest problem” was the fact that hackers were able to successfully take advantage of a known flaw in the firewall’s interface. “The advisory even goes on to say that there were public exploits available for the particular bug involved,” he said. “Why didn’t somebody say, ‘Hey, we have these firewalls and they’re exposed to the internet — we should be patching?'”

Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers.