Hackers Attempted DDoS Attack Against Utility: ReportAnalysis: Attackers Probed Weaknesses in Network Firewalls for 10 Hours
Earlier this year, intruders probed weaknesses in the network firewalls of a U.S. power utility to attempt a distributed denial-of-service attack, but there was no disruption in electricity service as a result of the incident, according a recently released report.
See Also: Healthcare Sector Threat Brief
The incident, which took place in March, caused a brief communication disruption between remote sites and the utility's main control center, according to the "lessons learned" report by the North American Electric Reliability Corp. The non-profit organization develops and enforces standards for U.S. power and utility companies.
The name of the utility that was targeted was not revealed in the report.
The attackers apparently took advantage of several known vulnerabilities within public, internet-facing firewalls that helped connect the control center to different remote sites, according to the report. This occurred over a 10-hour period, with communication between the main control center and remote sites going down for less than five minutes due to the attempted DDoS attack, the report says.
"The affected firewalls were all perimeter devices that served as the outer security layer," according to the report. After the firewalls kept rebooting, the utility's IT team checked the logs and noticed a pattern, the report notes.
The report recommends the utility make several improvements, including such basic security moves as implementing better software patch management and creating a layered defense to help build in redundancies.
"Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software," according to the report. "It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event."
Concerns Over Power Grid
E&E News, a publication that covers U.S. utility companies, first reported the analysis by the North American Electric Reliability Corp., which is now publicly available.
The incident, which happened on March 5 between about 9 a.m. and 7 p.m. PST, appears to have affected operations in several Western states, including California, Wyoming and Utah, according to an initial report posted by the U.S. Department of Energy.
The security of the U.S. power grid and the utilities that support and supply it with electricity is a growing area of concern. As older systems and infrastructures are linked to the internet, more of these companies and their systems are vulnerable, security experts say.
And while it's not clear who attempted to attack this particular utility, a report issued by security vendor Dragos in June found that an advanced persistent threat group had started to turn more of its attention to power companies (see: Xenotime Group Sets Sights on Electrical Power Plants).
Trouble With Firewalls
Poorly maintained network firewalls can raise security issues because they sometimes are used to protect a large number of assets, including websites, cloud infrastructure and even industrial control systems, says Chris Roberts, the chief security strategist at security firm Attivo Networks.
"Unfortunately, in many of the cases, a lot of those front ends [firewalls] are outdated and not patched, maintained, secured or even well managed," Roberts tells Information Security Media Group. "Many of them are either internet accessible … or obfuscated behind the corporate enterprise and protected by little more than the equivalent of a chocolate fireguard."
The North American Electric Reliability Corp. report offers several ways that power utilities can improve their cybersecurity, including:
- Make faster updates to the firewall firmware to address vulnerabilities;
- Use VPNs to better control network traffic;
- Ask the U.S. Department of Homeland Security to conduct an assessment and vulnerability scanning;
- Create redundancies within the firewalls so that communication between different points can continue in case of a disruption.
(Managing Editor Scott Ferguson contributed to this report.)