Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Firewall Exploited in Attack on U.S. Renewable Energy Firm

More details have emerged on the March denial-of-service (DoS) attack that disrupted firewalls and caused interruptions to electrical system operations at a power utility in the United States.

More details have emerged on the March denial-of-service (DoS) attack that disrupted firewalls and caused interruptions to electrical system operations at a power utility in the United States.

A report published earlier this year by the National Energy Technology Laboratory revealed that a cyber event caused problems at a utility in the western part of the U.S. on March 5. The incident affected California, Utah and Wyoming, but it did not result in any power outages.

It was revealed soon after the report was made public that the incident involved a DoS attack that exploited a known vulnerability. Then, the North American Electric Reliability Corporation (NERC) said in September that the security flaw impacted the web interface of firewalls used by the impacted organization, and that the attacker triggered a DoS condition on these appliances, causing them to reboot.

More details emerge on US power utility cyberattack

This led to communication outages between the organization’s control center and the field devices at various of its sites. The outages occurred over a period of 10-12 hours and each of them lasted for less than five minutes.

E&E News, which provides news for energy and environment professionals, recently obtained more information about the incident by filing a Freedom of Information Act (FOIA) request.

An electric emergency incident and disturbance report provided in response to the request by the U.S. Department of Energy shows that the victim of the attack was sPower, a Utah-based renewable energy power producer that relies on wind and solar technologies.

The document cites Department of Energy representatives explaining that the attack involved exploitation of a known vulnerability in Cisco firewalls. Many vulnerabilities have been found in these types of products and some of them have been exploited in attacks.

Learn More About Security in the Energy Sector at SecurityWeek’s 2019 ICS Cyber Security Conference

Following the incident, sPower analyzed its logs and found no evidence of a breach and the company claimed the incident did not impact operations. It appears that the firewall reboots only prevented the company from monitoring a dozen of its wind and solar farms.

Following the incident, sPower contacted Cisco, which advised it to patch its firewalls. sPower deployed firmware updates to its firewalls after ensuring that they would not cause other problems.

It’s unclear if this was a targeted attack, but since it can be easy for malicious actors to target internet-exposed firewalls on a large scale, it would not be surprising if the attack was opportunistic and the attackers might not have even been aware of the effects of their exploitation attempts.

Network appliances like the ones compromised in the western states incident are easy to attack because they’re difficult to patch and have no anti-malware capabilities — plus they’re directly exposed to the internet, meaning they can be compromised by nation-states or cybercriminals located anywhere in the world, Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeekWe’ve seen attackers go after unpatched network devices in the past, such as in the VPNFilter attacks of 2018, which have been widely-attributed to Russian threat actors.

Neray added, It’s highly unlikely that attackers could take down the entire U.S. power grid because it has been specifically designed to eliminate any single points of failure. Nevertheless, it’s easy to imagine how determined nation-state attackers could target specific population centers to cause major disruption and chaos, as Russian threat actors did with the Ukrainian grid attacks of 2015 and 2016. This is not completely theoretical. In March 2018, the US FBI/DHS concluded that since at least March 2016, Russian government cyber actors had targeted and compromised government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. As such, organizations should be on high-alert for similar incidents. 

*Updated with comments from Phil Neray

Related: U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks

Related: NIST Working on Industrial IoT Security Guide for Energy Companies

Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.