Security Experts:

Cyberattack Disrupted Firewalls at U.S. Power Utility

A denial-of-service (DoS) attack that caused disruptions at a power utility in the United States earlier this year exploited a known vulnerability in a firewall used by the affected organization.

A quarterly report published last spring by the National Energy Technology Laboratory revealed that a cyber event caused “interruptions of electrical system operations” at an unnamed utility in the western part of the United States. The incident, which occurred on March 5, impacted California, Utah and Wyoming, but it did not result in any power outages.

US power utility’s firewalls disrupted by DoS attackE&E News, which provides news for energy and environment professionals, learned at the time that the disruption involved a DoS attack that exploited a known vulnerability, but no other details were made available.

E&E now noticed that a “lesson learned” report from the North American Electric Reliability Corporation (NERC) revealed that the incident involved a vulnerability in the web interface of firewalls used by the impacted organization.

According to the NERC document, an unauthenticated attacker exploited a known vulnerability in the firewalls to trigger a DoS condition that caused the devices to reboot. It’s unclear which company provided the firewalls, but they were apparently internet-facing perimeter devices that “served as the outer layer security.”

Learn More About Security in the Energy Sector at SecurityWeek’s 2019 ICS Cyber Security Conference

The impacted utility still has not been named, but NERC says the DoS attack hit a low-impact control center and multiple remote low-impact generation sites, causing brief communications outages between the control center and the sites, and the field devices at the sites.

The outages lasted for less than five minutes and the reboots occurred over a 10-hour timeframe.

“After an initial internal investigation, the entity decided that, in order to fully characterize the nature of the reboots and the potential causes, the firewall manufacturer should review logs,” NERC said. “Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability. After receiving this notification, the entity initiated their event reporting procedure as dictated by their cybersecurity incident response plan.”

The impacted utility is said to have reviewed its process for deploying firmware updates following the incident, and NERC hopes other energy companies will learn and take steps to prevent such incidents.

NERC has been known to issue fines of millions of dollars to energy firms over cybersecurity issues, but it’s unclear if the organization hit by the DoS attack will be penalized.

Related: Ransomware Causes Disruptions at Johannesburg Power Company

Related: U.S. Planted Powerful Malware in Russia's Power Grid

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.