First Cyberattack on Renewables Shows Vulnerability

November 4, 2019


Utility Dive:

A March 5 cyberattack of U.S. wind and solar assets is back in the news, with fresh documents helping shed light not just on the extent, but also the simplicity of the first-of-its-kind intrusion. Cybersecurity experts say it reveals a utility sector not sufficiently vigilant, and failing to employ the most simple fixes.

The North American Electric Reliability Corporation (NERC) in September revealed details about the denial-of-service (DoS) attack, urging utilities to keep firewalls patched and up to date, but held back the name of the impacted entity. E&E News last week revealed, based on documents obtained through a public records request, the victim was sPower.

Owned by AES and AIMCo, sPower bills itself as the United States’ largest private owner of operating solar assets. Though there was no loss of generation, the March cyberattack impacted the company’s visibility into about 500 MW of wind and PV across California, Utah and Wyoming.

The attack is widely being called the “first” on renewable generators, though it is not clear the grid intrusion was entirely intentional. Attackers exploited a known vulnerability in an unpatched Cisco firewall, causing a series of reboots over 12 hours. But intruders did not press the attack further and E&Ereports it is unclear they understood the firewall was connected to the energy grid.

Security experts say the attack is a wake-up call for the electric sector and a sign that clear vulnerabilities remain.

“The news begs a bigger question about cybersecurity regulations for the energy industry,” Phil Neray, vice president of security firm CyberX, said in an email. “The manner in which it was carried out was very basic — exposing some essential weaknesses in the way energy companies currently patch and monitor their network devices.”

CyberX released a report last month that concluded utility networks and unmanaged devices are “soft targets for adversaries.” Many utilities use outdated operating systems and unencrypted passwords that leave them vulnerable, the firm found.

That means in some instances utilities are not even maintaining the most basic of protection: keeping systems up to date.

Neray said the grid is made vulnerable by network appliances like the ones that were compromised in the attack on sPower: directly exposed to the internet, unpatched and with limited malware capabilities. “We’ve seen attackers go after unpatched network devices in the past,” he said.

The March 5 attack is “one more example …. that cyber risk in the industrial space is not only real, but operant,” Jason Haward-Grau, chief information security officer at cyber firm PAS Global, said in an email.

“The simplicity of this attack should make generators sit up and take notice,” Haward-Grau said. “This was a ‘simple’ IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available.”

Utility Dive:

The United States has increased efforts to insert malicious code into Russia’s electric grid, a development the The New York Times warned “enshrines power grids as a legitimate target” in the nations’ cold war of cyber one-upmanship.

While President Trump denied the story on Twitter, a spokesman for Russian President Vladimir Putin said it meant a cyberwar between the two countries is a “hypothetical possibility.”

With utilities in the cross-hairs of malicious actors, experts say there are health, safety and economic risks for those who rely on the grid, particularly if escalation continues.

Critical infrastructure in the U.S., including the electric grid, is “increasingly under attack by foreign adversaries,” the head of the Federal Energy Regulatory Commission (FERC), Chairman Neil Chatterje, told lawmakers last week.

Russia and the U.S. have been probing one another’s electric grids for years now, but The New York Times report indicates a serious escalation. One anonymous intelligence community source for the Times described U.S. actions as having become “far, far more aggressive over the past year.”

Experts in the utility sector say this is likely the new norm, as power grids become more interconnected and growing numbers of devices are generating and consuming power. For customers, the impacts could be deadly.

The New York Times article referenced here is of course the famous admission that officials did not brief President Trump for fear he would spill the beans to Putin.

New York Times:

Power grids have been a low-intensity battleground for years.

Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.

But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.

Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.

Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017when he mentioned a sensitive operation in Syria to the Russian foreign minister.



3 Responses to “First Cyberattack on Renewables Shows Vulnerability”

  1. doldrom Says:

    The United States has increased efforts to insert malicious code into Russia’s electric grid. U.S. actions have become “far, far more aggressive over the past year, with utilities in the cross-hairs of malicious actors. For customers, the impacts could be deadly.

    An open invitation to foster more of such activities. Blow back could be a bitch.

  2. rhymeswithgoalie Says:

    Cybersecurity experts say it reveals a utility sector not sufficiently vigilant, and failing to employ the most simple fixes.

    This won’t change until a person’s employment or pay becomes contingent on them changing the default passwords and keeping the software up-to-date with security patches.

    This calls to mind one professor introducing op-amps into our circuit design course and clearly announcing: “Anyone who tries to apply Kirchoff’s Law to these circuits will fail this course.” That got even the dozers’ attention.

  3. rhymeswithgoalie Says:

    Amending: And/or insurance companies make payouts dependent on basic cybersecurity practices.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: