12 Sep The “First” Cyberattack on the U.S. Grid
The Grid Cyberattack
New details have been released on a cyberattack on the U.S. electric grid. In this case, an unnamed utility in the western United States fell victim to an attack that exploited a vulnerability in their firewall. This attack caused repeated reboots, which resulted in a denial of service in several locations and brief communication outages.
While this attack purportedly took place on March 5th, the North American Electric Reliability Corporation (NERC) just reported specifics early September. They stated that while firewalls were forced to reboot for approximately 10 hours, there were no resulting power outages and the low-impact control center and multiple remote low-impact generation sites each experienced disruption periods of less than 5 minutes. Read the full report here.
The attack is being referenced by many as the first time remote hackers were able to interfere with U.S. grid networks, however, there are previously documented cases of attacks. A blog from Control Global addresses that exact discrepancy. Read it here.
For the remainder of this blog, we will not focus on this event as a first, but rather on the importance that the attack occurred.
This case clearly demonstrates the risks faced by U.S. utilities in regards to cyberattacks and threats against their critical control networks. As systems were investigated following the repeated down periods, more information came to light.
“Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability,” NERC said.
That vulnerability was a failure to update systems. The utility company had failed to apply updates to the firewalls that were the target of the attack, which were released prior to the attack, making this incident fully preventable. NERC stated that the vendor was already in the process of updating how they reviewed and tracked firmware updates, but the process was since expedited due to the incident.
We cannot stress enough the importance of tracking internal compliance to policies that ensure best practices and regulations regarding cybersecurity are followed. Above all, always make sure your systems are updated – especially when you receive notice of a vulnerability. That patch should receive top priority.
NERC commented that by publishing a report on the incident, they were hoping to provide “technical and understandable information” that can benefit others in the industry in their efforts to maintain reliability within their systems.
As a part of critical infrastructure, energy utilities are required to ensure they are secure and will experience uninterrupted operations. At this time, it’s unclear if there will be drastic fines for violating critical infrastructure protection rules, but history tells us that they are typically severe.
While this attack was not catastrophic and the situation was remedied fairly easily, NERC helps draw attention to the fact that many companies may not be updating firmware as those updates become available. This results in security gaps on their networks that can be taken advantage of.
NERC recommends the following steps for cybersecurity policies and procedures. For their complete list, read NERC’s “Lesson Learned” report, referenced above.
- Follow good industry practices for vulnerability and patch management.
- Reduce and control your attack surface.
- Have as few internet-facing devices as possible.
- Use virtual private networks.
- Layer defenses. It is harder to penetrate a screening router, a virtual private network terminator, and a firewall in series than just a firewall.
- Know your exploitable vulnerabilities so you can pursue fixes.
- Monitor your network.
- Employ redundant solutions to provide resilience and on-line maintenance capabilities.
RiskWatch recommends utilizing our software to help your security teams manage risk, security, and compliance within your organization. In the case dissected above, the RiskWatch platform would have identified a failure to comply with required regulations that mandate a minimum level of cybersecurity protections, as well as other gaps in security and high-risk areas that show where attention and resources should be directed.
Energy and utility companies, reach out to us for a free review of your current security processes. Free trials are available to sample our functionality and frameworks.