Utah-based wind and solar energy developer sPower has been identified as the utilities company that suffered a previously reported denial of service attack that disrupted its normal business activity last March 5.
The cyberattack briefly cut off communications between sPower's control centers and a dozen remote wind and solar farms that served as its power generation stations, according to documentation obtained by trade media website E&E News, following a Freedom of Information Act request. In a report on its latest findings, E&E yesterday described the incident as a "first-of-its-kind" attack.
The documentation consists of an Electronic Emergency Incident and Disturbance Report, which contains what appears to be an email communication signed by a Department of Energy employee. This email explains that the communications outages were caused by the exploitation of a vulnerability in Cisco firewalls that caused repeated rebooting. The incident was observed in intermittent bursts over a 12-hour period, at which point sPower applied a patch to fix the condition.
None of the utility's operational technology systems were affected, and customers of the utility did not experience any power loss.
Earlier this year, E&E had reported that the incident had lasted from 9:12 a.m. to 6:57 p.m. on the day of the attack, affecting system operations in Kern and Los Angeles Counties in California, Salt Lake County in Utah, and Converse County in Wyoming. However, the event "did not impact generation, the reliability of the grid or cause any customer outages," the report continued, quoting a DOE official at the time.
According to E&E, Lara Hamsher, government relations and communications manager at sPower, said the company has improved its systems to "help ensure as much uptime as possible."
It remains unknown if the incident was a random crime of opportunity or an intentional attack on the power grid.
"Even though, and thankfully, the operational area was not itself impacted... the simplicity of this attack should make generators sit up and take notice. This was a simple IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available," said Jason Haward-Grau, CISO at infrastructure/ICS security provider PAS Global, in emailed comments.
Essentially it is the first time a control/command center lost visibility of the operational zone, which, whilst on the IT side of the house, is an indicator that the operational capabilities of industrial facilities are at increasing risk as the digitization agenda takes more of a central role in business," Haward-Grau continued. This kind of attack shows the frequency of attacks are continuing to grow and digitalization and hyper-connectivity are only going to expand the risk and accelerate the frequency of attacks because hackers are getting more and more sophisticated about industrial operations attacks..."
sPower is owned by AES Corporation in Arlington, Virginia, and the Alberta Investment Management Corporation in Edmonton, Canada.
Lara Hamsher, government relations and communications manager at sPower, provided the following statement: "sPower is a generator owner and generator operator of wind and solar generation assets that are operated from a 24/7/365 control center in Salt Lake City, Utah. On March 5, 2019 sPower's Control Center observed a brief (five minutes or less) communication interruptions between the control center and 12 generation sites. These interruptions had no impact to generation and did not cause electrical system separation. After investigation and in accordance with sPower's commitment to continuous improvement, processes and systems were improved to help ensure as much uptime as possible."