A Utah-based renewable energy power producer, sPower, that relies on wind and solar technologies was the victim of an attack that involved exploitation of a known vulnerability in Cisco firewalls.
While the producer did not suffer an operational issue, it did lead to a denial of service (DoS) which led to communication outages between the organization’s control center and the field devices at various sites.
The incident became public earlier this year when the National Energy Technology Laboratory revealed a cyber event caused problems at a utility in the western part of the U.S. on March 5. The report said the incident affected California, Utah and Wyoming, but it did not result in any power outages. The report did not reveal the name of the producer.
While news came out in dribs and drabs, after the report came out it was learned the incident involved a DoS attack that exploited a known vulnerability in a Cisco device. The North American Electric Reliability Corporation (NERC) said in September the security flaw impacted the web interface of firewalls, and the result was a DoS attack, which caused the appliances to reboot.
The communication outages occurred over a period of 10-12 hours and each lasted for less than five minutes.
The latest information ended up revealed by E&E News, which obtained more information about the incident by filing a Freedom of Information Act (FOIA) request.
As mentioned, sPower is a Utah-based renewable energy power producer that relies on wind and solar technologies.
The document cites Department of Energy representatives explaining that the attack involved exploitation of a known vulnerability in Cisco firewalls. Vulnerabilities have been found in these types of products and some of them have been exploited in attacks.
Following the incident, sPower analyzed its logs and found no evidence of a breach and the company claimed the incident did not impact operations.
Following the incident, sPower contacted Cisco, which advised it to patch its firewalls, according to the document. sPower deployed firmware updates to its firewalls after ensuring that they would not cause other problems.
“This is one more example, if one were needed, that cyber risk in the industrial space is not only real, but operant, even though (and thankfully) the operational area was not itself impacted, so generation continued, the simplicity of this attack should make generators sit up and take notice,” said Jason Haward-Grau, CISO at PAS Global. “This was a ‘simple’ IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available.”
Haward-Grau went on to make further points:
• So, what’s new about this attack? Essentially it is the first time a control/command center lost visibility of the operational zone, which while on the IT side of the house is an indicator that the operational capabilities of industrial facilities are at increasing risk as the digitization agenda takes more of a central role in business. Many generators see digitization as the opportunity to transform their businesses, drive efficiencies and consolidate control rooms, which will rely on integrated IT networks to function (this will bring IT and OT together in new and likely different ways). This kind of attack shows the frequency of attacks are continuing to grow and digitalization and hyper-connectivity are only going to expand the risk and accelerate the frequency of attacks because hackers are getting more and more sophisticated about industrial operations attacks (the old “security by obscurity” is gone if it ever existed.)
• Organizations need to be sure they are doing at least the basics, not only on the IT side but also on the OT side. A lot have focused on IT (firewalls, intrusion detection) which in this case were let down by a lack of structured process, even so, there is still less focus on Operational Technology (OT) than there should be given the opening up of these areas through IIoT, 5G and advances in digitization and AI (e.g. inventory and vulnerability management)
• What this also highlights is the need for response and recovery planning capabilities, yes patching was the solution to this firewall exploit, however, this could have been significantly worse had the attacker understood what they were dealing with and gone further with their attack.
• This highlights the need for effectively understanding your topology and its connections, this has never been more important than today, if you don’t know what you have, where it is, what vulnerabilities it has and how it is configured you are already operating at a disadvantage that a motivated attacker will be happy to exploit.
• Impacting operations is only a matter of time, if a simple firewall crash can do this image what a dedicated and skilled attacker can do, the emphasis needs to shift to not just identifying an attack but equally important responding to one and having effective back-ups to recover with at a configuration level in OT is no longer a nice to have, rather a necessity as the cost of an attack can and will multiply the longer the operation is unable to recover to a ‘pre-attack’ configuration.