A Utah-based company recently became the first U.S. renewable energy provider to become the victim of a cyberattack. Significantly, the attack caused the company to lose connection with its power generation installations, the first time this has happened in the United States.
The root cause of the attack? An unpatched firewall
According to a published report, a hacker used a denial-of-service (DoS) attack to exploit a known vulnerability in a Cisco firewall and cause that firewall to crash. The crash broke the connections between the company’s wind and solar generation installations and the company’s main command center. Significantly, this cyber event affected the company’s solar generation assets in three states.
Fortunately, the attack did not continue beyond the initial exploit and the hacker did not breach the company’s network. However, the company had to file an “Electric Emergency Incident and Disturbance Report” with the U.S. Department of Energy.
The North American Electric Reliability Corporation (NERC) issued Lesson Learned: Risks Posed by Firewall Firmware Vulnerabilities, which contains several good security policies and procedures for avoiding just this kind of attack:
- Follow good industry practices for vulnerability and patch management. Vulnerabilities in older versions of software, firmware and services are public record and are weak points that hackers first seek to exploit.
- Reduce and control the “attack surface” by having fewer internet-facing devices.
- Use access controls, layer defenses and segment the network.
- Know your vulnerabilities, by consulting available resources, conducting vulnerability scanning and sharing information, for example, by joining the Electricity Information Sharing and Analysis Center (E-ISAC).
- Monitor your network and implement redundant solutions to provide resilience and online maintenance capability.
Energy companies must continuously and rigorously implement and update their security programs, to ensure continuous system operations and maintain the reliability of the bulk power system.
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this issue.