The incident took place earlier this year, threat actors exploited a known vulnerability in a firewall used by the affected facility to cause disruption.
In May, the Department of Energy confirmed that on March 5, 2019, between 9 a.m.
The report states that interruptions of electrical system operations were observed in California (Kern County, Los Angeles County), Utah (Salt Lake County), Wyoming (Converse County). The report did not include the name of the utility company that suffered the incident.
Following the attack, the E&E News learned that the disruption was caused by a
E&E now revealed that the incident was caused by the exploitation of a known vulnerability in the web interface of firewalls used by the impacted organization.
“The unprecedented cyber disruption this spring did not cause any blackouts, and none of the signal outages at the “low-impact” control center lasted for longer than five minutes, NERC said in the “Lesson Learned” document posted to the grid regulator’s website.”
“But the March 5 event was significant enough to spur the victim utility to report it to the Department of Energy, marking the first disruptive “cyber event” on record for the U.S. power grid (Energywire, April 30).
The case offered a stark demonstration of the risks U.S. power utilities face as their critical control networks grow more digitized and interconnected — and more exposed to hackers. “Have as few internet facing devices as possible,” NERC urged in its report.”
The flaw allowed the attackers to trigger a
“A vulnerability in the web interface of a vendor’s firewall was exploited, allowing an unauthenticated attacker to cause unexpected reboots of the devices.” states the NERC document. “This resulted in a denial of service (DoS)1 condition at a
The NERC report doesn’t name the impacted utility, the
The report revealed that the outages lasted for less than five minutes, the reboots of the impacted appliances occurred over a 10-hour timeframe.
The analysis of logs of the firewalls allowed the experts to determine the nature of the reboots and to discover that an “external entity” exploiting a known firewall vulnerability in the network devices to trigger a
The firewall manufacturer offered a firmware update to address the issue, then the entity first tested the patch on a firewall within a non-critical environment, then after verifying that no problems were observed, the entity deployed the firmware patch at an operational generation site.
“After seeing no adverse effects, the entity deployed the firmware patch at an operational generation site that night.” continues the document. “After monitoring traffic in the production environment overnight and early the following morning, the entity deployed the update to all remaining BES assets that had common hardware with the firmware vulnerability.”
NERC states that after completing mitigation operations to address the flaw, the entity conducted an internal assessment to improve internal patch management process to prevent similar incidents in the future.
NERC’s document includes a list of
(SecurityAffairs – power utility, hacking)