A denial-of-service (DoS) attack that caused disruptions at a power utility in the United States earlier this year exploited a known vulnerability in a firewall used by the affected organization.
A quarterly report published last spring by the National Energy Technology Laboratory revealed that a cyber event caused “interruptions of electrical system operations” at an unnamed utility in the western part of the United States. The incident, which occurred on March 5, impacted California, Utah and Wyoming, but it did not result in any power outages.
E&E News, which provides news for energy and environment professionals, learned at the time that the disruption involved a DoS attack that exploited a known vulnerability, but no other details were made available.
E&E now noticed that a “lesson learned” report from the North American Electric Reliability Corporation (NERC) revealed that the incident involved a vulnerability in the web interface of firewalls used by the impacted organization.
According to the NERC document, an unauthenticated attacker exploited a known vulnerability in the firewalls to trigger a DoS condition that caused the devices to reboot. It’s unclear which company provided the firewalls, but they were apparently internet-facing perimeter devices that “served as the outer layer security.”
The impacted utility still has not been named, but NERC says the DoS attack hit a low-impact control center and multiple remote low-impact generation sites, causing brief communications outages between the control center and the sites, and the field devices at the sites.
The outages lasted for less than five minutes and the reboots occurred over a 10-hour timeframe.
“After an initial internal investigation, the entity decided that, in order to fully characterize the nature of the reboots and the potential causes, the firewall manufacturer should review logs,” NERC said. “Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability. After receiving this notification, the entity initiated their event reporting procedure as dictated by their cybersecurity incident response plan.”
The impacted utility is said to have reviewed its process for deploying firmware updates following the incident, and NERC hopes other energy companies will learn and take steps to prevent such incidents.