GlobalSign Blog

Shedding more light on the first U.S. electric grid attack

Shedding more light on the first U.S. electric grid attack

In the past several weeks as more details of the March cyberattack on Western U.S. energy grid providers have emerged, I’ve been reminded how important in-depth and timely incident reporting is to the continued protection of our bulk electric system. This is especially important given the swelling level of cyber threats aimed at our increasingly interconnected grid.

To be clear, there was no blackout, and it has not been determined if it was a targeted attack. Still, the attackers were able to take advantage of several Western U.S. grid operators’ firewall vulnerabilities for 10 hours between 9:12 a.m. and 6:57 p.m., on March 5. The incident caused periodic "blind spots" in the grid provider’s operations and also interrupted electrical system operations in Kern County, California and Converse County, Wyoming.

It should be noted the March attack is the first known incident causing this kind of disruption to grid provider operations. However, as this May CNBC story on the incident explains, “operations” does not refer to electrical delivery to consumers - but could refer to computer systems used within the utilities, including those running office functions or operational software.

This could be viewed as a denial-of-service attack (which is preventable). However, as it was a somewhat successful incident, it does call into question whether utilities are prepared for a far more sophisticated attack, as the U.S. government has warned.

The attack as reported by the North American Electric Reliability Corp (NERC) on an unnamed Western U.S. utility seemed to involve a flaw in the firewall that might have been avoided through better patch management. Nevertheless, the NERC should be applauded for the way it disclosed the incident, and provided the grid community a report on lessons learned.

About DDoS Attacks

Distributed denial-of-service (DDoS) attacks are increasingly common in today’s cyber-landscape. They’re similar to other types of DoS attacks, but the primary difference is the traffic shutting down servers or systems originates from many sources - rather than one. Distributing the attack across multiple sources increases the possible damage and makes it more difficult to shut down; it is also harder to identify the malicious party behind the attack.

DDoS attacks work when various sources act in sync with one another, often through a botnet. A botnet is a combined network of hijacked internet-connected systems or devices that are remotely controlled as a group. Hackers often use them to send spam or phishing emails or expose banking details. However, they’re an instrumental part of DDoS attacks, too. Some hackers even offer botnets for hire, allowing unskilled cybercriminals to do damage.

With DDoS attacks, attackers often figure out how to cause the most damage through impeccable timing. In the past several years, everything from HSBC Bank and Xbox to PlayStation have all been targets and usually at the worst possible times, such as a major holiday. These can even hit during a more mundane timeframe, which was the case when HSBC was impacted.

While previous DDoS attacks have not yet affected critical infrastructure, it has become clear the level of success that can be achieved and why they must be closely monitored. Fortunately, the March incident of the Western U.S. utilities network was small in scale and did not involve a major control center, which limited the disruption.

Whether the attack was successful or not, Bulk Electric System (BES) operators should be reminded of their new responsibility to report both cyber security incidents that compromise or attempt to compromise a responsible entity’s electronic security perimeter or monitoring system.

CIP-008-6, which calls for mitigating the risks to the reliable operation of the BES resulting from a cyber security incident by specifying incident response requirements, closed a big gap in its prior incident reporting requirement. Until CIP-008-6, it was only required to report actual compromised or disrupted reliability tasks. As the security posture of our grid providers continue to mature, ongoing reporting and sharing of even unsuccessful compromises can only strengthen the BES ecosystem.

With the increase in volume and complexity of cyberattacks across core IT infrastructures, companies must continuously evolve their cybersecurity postures. Start now by getting smart on the latest threat universe – and how it can impact you.

Visit the Resource Links below to take the first step:

Share this Post

Recent Blogs