Author: Robert Walton         Published: 11/4/19        Utility Dive

New details of a denial-of-service attack earlier this year show an energy sector with uneven security.

A March 5 cyberattack of U.S. wind and solar assets is back in the news, with fresh documents helping shed light not just on the extent, but also the simplicity of the first-of-its-kind intrusion. Cybersecurity experts say it reveals a utility sector not sufficiently vigilant, and failing to employ the most simple fixes.

The North American Electric Reliability Corporation (NERC) in Septemberrevealed details about the denial-of-service (DoS) attack, urging utilities to keep firewalls patched and up to date, but held back the name of the impacted entity. E&E News last week revealed, based on documents obtained through a public records request, the victim was sPower.

WEST MONROE PARK

Owned by AES and AIMCo, sPower bills itself as the United States’ largest private owner of operating solar assets. Though there was no loss of generation, the March cyberattack impacted the company’s visibility into about 500 MW of wind and PV across California, Utah and Wyoming.

The attack is widely being called the “first” on renewable generators, though it is not clear the grid intrusion was entirely intentional. Attackers exploited a known vulnerability in an unpatched Cisco firewall, causing a series of reboots over 12 hours. But intruders did not press the attack further and E&Ereports it is unclear they understood the firewall was connected to the energy grid.

Security experts say the attack is a wake-up call for the electric sector and a sign that clear vulnerabilities remain.

“The news begs a bigger question about cybersecurity regulations for the energy industry,” Phil Neray, vice president of security firm CyberX, said in an email. “The manner in which it was carried out was very basic — exposing some essential weaknesses in the way energy companies currently patch and monitor their network devices.”

Utilities must do basic security maintenance

CyberX released a report last month that concluded utility networks and unmanaged devices are “soft targets for adversaries.” Many utilities use outdated operating systems and unencrypted passwords that leave them vulnerable, the firm found.

That means in some instances utilities are not even maintaining the most basic of protection: keeping systems up to date.

“The simplicity of this attack should make generators sit up and take notice.”

Jason Haward-Grau

Chief information security officer, PAS Global

Neray said the grid is made vulnerable by network appliances like the ones that were compromised in the attack on sPower: directly exposed to the internet, unpatched and with limited malware capabilities. “We’ve seen attackers go after unpatched network devices in the past,” he said.

The March 5 attack is “one more example …. that cyber risk in the industrial space is not only real, but operant,” Jason Haward-Grau, chief information security officer at cyber firm PAS Global, said in an email.

“The simplicity of this attack should make generators sit up and take notice,” Haward-Grau said. “This was a ‘simple’ IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available.”