A Utah-based renewable energy company was the victim of a rare cyberattack that temporarily disrupted communications with several solar and wind installations in March, according to documents obtained under the Freedom of Information Act.
The attack left operators at the company, sPower, unable to communicate with a dozen generation sites for five-minute intervals over the course of several hours on March 5. Each generation site experienced just one communication outage. It is believed to be the first cybersecurity incident on record that caused a “disruption” in the U.S. power industry, as defined by the Department of Energy.
DOE defines a “cyber event” as a disruption to electrical or communication systems caused by unauthorized access to hardware, software or communications networks. Utilities have to promptly report any such incidents to DOE.
The attack did not affect sPower’s more critical control systems and did not impact its power generation, the company said. But it nevertheless highlights how generic software vulnerabilities that affect multiple industries can impact utilities.
The report to DOE shows that unidentified attackers hit the company with a denial-of-service (DoS) attack that exploited a known vulnerability in a Cisco firewall. The report and related documents, obtained by George Washington University’s National Security Archive and shared with CyberScoop, reveal how sPower and DOE officials worked to ensure the cyberattack did not escalate.
“sPower has reviewed log files and has found no evidence of a breach beyond the DoS attack,” Matthew Tarduogno, an analyst in a DOE cybersecurity office, wrote in an update to senior DOE officials three days after the attack.
“Cisco recommended a firmware update, which sPower has been deploying across their system, after testing for compatibility,” Tarduogno’s email said.
After investigating the incident, “processes and systems were improved to help ensure as much uptime as possible,” Lara Hamsher, a government relations manager at sPower, said in a statement.
E&E News first reported on the incident in April, and also obtained the FOIA documents.
There was a low “barrier to entry” to carry out the attack because the vulnerability was known and the equipment targeted was on the public internet, according to Joe Slowik, principal adversary hunter at industrial cybersecurity company Dragos.
“Given the lack of identified follow-up actions by the attacker, this would appear to be someone testing or scanning for this vulnerability and inadvertently hitting utility infrastructure in the process,” Slowik said. “However, that is an educated guess based on limited public information.”
Nonetheless, Slowik told CyberScoop, the DoS attack is a reminder that utilities need to account for the possibility of hackers degrading network communications in distributed power generation environments like wind or solar installations.
A DOE official told CyberScoop the department isn’t aware of additional cybersecurity incidents in the U.S. energy sector related to the sPower attack.
The most publicized cyberattack on electric infrastructure took place in Ukraine in 2015. Russian hackers manipulated power systems to plunge a quarter-million people into darkness.
U.S. utilities closely studied that incident and are trading threat data to defend against such attacks. While the sPower incident is far less serious than the Ukraine attack, it will offer another data point in utilities’ effort to stay vigilant.
You can read the report below: