Security Experts:

Cisco Firewall Exploited in Attack on U.S. Renewable Energy Firm

More details have emerged on the March denial-of-service (DoS) attack that disrupted firewalls and caused interruptions to electrical system operations at a power utility in the United States.

A report published earlier this year by the National Energy Technology Laboratory revealed that a cyber event caused problems at a utility in the western part of the U.S. on March 5. The incident affected California, Utah and Wyoming, but it did not result in any power outages.

It was revealed soon after the report was made public that the incident involved a DoS attack that exploited a known vulnerability. Then, the North American Electric Reliability Corporation (NERC) said in September that the security flaw impacted the web interface of firewalls used by the impacted organization, and that the attacker triggered a DoS condition on these appliances, causing them to reboot.

More details emerge on US power utility cyberattack

This led to communication outages between the organization’s control center and the field devices at various of its sites. The outages occurred over a period of 10-12 hours and each of them lasted for less than five minutes.

E&E News, which provides news for energy and environment professionals, recently obtained more information about the incident by filing a Freedom of Information Act (FOIA) request.

An electric emergency incident and disturbance report provided in response to the request by the U.S. Department of Energy shows that the victim of the attack was sPower, a Utah-based renewable energy power producer that relies on wind and solar technologies.

The document cites Department of Energy representatives explaining that the attack involved exploitation of a known vulnerability in Cisco firewalls. Many vulnerabilities have been found in these types of products and some of them have been exploited in attacks.

Learn More About Security in the Energy Sector at SecurityWeek’s 2019 ICS Cyber Security Conference

Following the incident, sPower analyzed its logs and found no evidence of a breach and the company claimed the incident did not impact operations. It appears that the firewall reboots only prevented the company from monitoring a dozen of its wind and solar farms.

Following the incident, sPower contacted Cisco, which advised it to patch its firewalls. sPower deployed firmware updates to its firewalls after ensuring that they would not cause other problems.

It’s unclear if this was a targeted attack, but since it can be easy for malicious actors to target internet-exposed firewalls on a large scale, it would not be surprising if the attack was opportunistic and the attackers might not have even been aware of the effects of their exploitation attempts.

Network appliances like the ones compromised in the western states incident are easy to attack because they’re difficult to patch and have no anti-malware capabilities — plus they’re directly exposed to the internet, meaning they can be compromised by nation-states or cybercriminals located anywhere in the world, Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeekWe’ve seen attackers go after unpatched network devices in the past, such as in the VPNFilter attacks of 2018, which have been widely-attributed to Russian threat actors.

Neray added, It’s highly unlikely that attackers could take down the entire U.S. power grid because it has been specifically designed to eliminate any single points of failure. Nevertheless, it’s easy to imagine how determined nation-state attackers could target specific population centers to cause major disruption and chaos, as Russian threat actors did with the Ukrainian grid attacks of 2015 and 2016. This is not completely theoretical. In March 2018, the US FBI/DHS concluded that since at least March 2016, Russian government cyber actors had targeted and compromised government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. As such, organizations should be on high-alert for similar incidents. 

*Updated with comments from Phil Neray

Related: U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks

Related: NIST Working on Industrial IoT Security Guide for Energy Companies

Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.