On April 30th, a story broke about a U.S. Department of Energy (DOE) report listing a March 5th “cyber event” at a utility serving western regions of the United States. The original information was listed in the OE-417 Electric Emergency and Disturbance Report that utilities are required to file with the DOE when there are interruptions in service.
A perusal of the five-page report indicates that the normal range of outages spans a spectrum of “Event Types” from severe weather to vandalism to actual physical attacks. On May 5, though, an event was listed as “System Operations,” with the Alert Criteria being characterized as “Cyber event that caused interruptions of electrical system operations." The event lasted over nine hours, from 9:12 AM to 6:57 PM. It was also geographically extensive, affecting two counties in California, one in Utah and one in Wyoming.
Not much more came to light until two days later, when a DOE official was quoted as saying “DOE received a report about a denial-of-service condition that occurred at an electric utility on March 5, 2019 related to a known vulnerability that required a previously published software update to mitigate.” According to E&E News, a DOE official indicated that while operations were disrupted, no generation or transmission was affected, and physical electricity service remained uninterrupted. The DOE did not clarify what specific physical communications equipment was targeted by the DoS attack.
DoS has been used in the past to successfully harm companies. One of the most well known instances was the Mirai botnet in in 2016 that temporarily crippled Dyn, a company controlling much of the Internet’s domain name system infrastructure, taking down numerous other companies’ websites as a consequence.
Before the March 5th event, the only other known case of a DoS assault in the utility arena was during the 2015 concerted cyberattack on three Ukrainian distribution utilities. In that case, the tactic was used to attack the telephone system while the assailants simultaneously disrupted power flows at multiple substations. That DoS attack was launched to inundate the utility customer service lines so that no customers could inform the utility as to blackout locations, thereby creating a loss of situational awareness.
Based on the limited available information to date, it doesn’t appear that recent DoS effort was part of any larger campaign. That said, it does appear to represent a new and unfortunate milestone in the U.S. utility cybersecurity landscape.
E&E News noted that industry sources expressed concern, speculating that an OE 417 report would only have been required if the DoS had targeted something critical and externally facing, such as routers on the grid network boundaries or firewalls. While that in itself would not interrupt physical service, it could require operators to change procedures to facilitate an investigation into the ongoing event.
Despite the lack of clarity to date, this March 5th event highlights yet again the need for increased vigilance and practicing appropriate cyber hygiene such as employing patches quickly after they are released and maintain a culture of vigilance.