In a report titled “Lesson Learned,” the North American Electric Reliability Corporation (NERC) revealed that a cybersecurity incident impacting U.S. power grids was caused by hackers rebooting firewalls for hours on end.
The incident, which occurred back in March, caused communication outages lasting up to five minutes at a time at multiple "low-impact" generation sites. NERC now says it has determined that the outages were caused by reboots, which were “initiated by an external entity exploiting a known firewall vulnerability.”
The industry group said failure to patch firewalls was the cause of the incident. After the operator of the control center applied the firewall security updates, the reboots stopped.
Two years ago, a report from cybersecurity firm Symantec raised alarm over the potential ability of a sophisticated group of hackers to take control of electric power grids. Symantec said the group, known as “Dragonfly,” was successful in taking down a power grid in Ukraine, resulting in widespread and prolonged power outages.
At the time, Symantec said its power company clients were protected against the attacks, but it noted that some grids lacking sophisticated protection could be vulnerable. In its report, NERC stressed the importance of deploying firmware updates on time in order to prevent security vulnerabilities from leading to another cyber incident.
“Even in cases involving low-Impact BES assets, an entity should strive for good cyber security policies and procedures,” the group said.
For those in the industry, NERC recommends closely monitoring vendor firmware releases and deploying them in a timely manner. The group recommends that power companies also heed the following advice:
Reduce and control your attack surface by having as few internet facing devices as possible.
Use virtual private networks.
Use access control lists (ACLs) to filter inbound traffic prior to handling by the firewall; minimize the traffic through a denial by default configuration with whitelisting for the allowed and expected IP addresses. Limit outbound traffic similarly for information security purposes.