Pierluigi Paganini September 10, 2019

A DoS attack that caused disruptions at a power utility in the United States exploited a flaw in a firewall used in the facility.

The incident took place earlier this year, threat actors exploited a known vulnerability in a firewall used by the affected facility to cause disruption.

In May, the Department of Energy confirmed that on March 5, 2019, between 9 a.m. and 7 p.m., a cyber event disrupted energy grid operations in California, Wyoming, and Utah.

The news was first reported by E&E News, a “cyber event” interrupted grid operations in parts of the western United States in March, according to a report posted by the Department of Energy.

The report states that interruptions of electrical system operations were observed in California (Kern County, Los Angeles County), Utah (Salt Lake County), Wyoming (Converse County). The report did not include the name of the utility company that suffered the incident. 

Following the attack, the E&E News learned that the disruption was caused by a DoS attack that exploited a known vulnerability, but no other details were made public.

E&E now revealed that the incident was caused by the exploitation of a known vulnerability in the web interface of firewalls used by the impacted organization.

“The unprecedented cyber disruption this spring did not cause any blackouts, and none of the signal outages at the “low-impact” control center lasted for longer than five minutes, NERC said in the “Lesson Learned” document posted to the grid regulator’s website.”

“But the March 5 event was significant enough to spur the victim utility to report it to the Department of Energy, marking the first disruptive “cyber event” on record for the U.S. power grid (Energywire, April 30).

The case offered a stark demonstration of the risks U.S. power utilities face as their critical control networks grow more digitized and interconnected — and more exposed to hackers. “Have as few internet facing devices as possible,” NERC urged in its report.”

The flaw allowed the attackers to trigger a DoS condition in the internet-facing firewalls that were all perimeter devices used to implement the outer security layer.

“A vulnerability in the web interface of a vendor’s firewall was exploited, allowing an unauthenticated attacker to cause unexpected reboots of the devices.” states the NERC document. “This resulted in a denial of service (DoS)1 condition at a low-impact control center and multiple remote low-impact generation sites. These unexpected reboots resulted in brief communications outages (i.e., less than five minutes) between field devices at sites and between the sites and the control center.”

The NERC report doesn’t name the impacted utility, the DoS attack hit a low-impact control center and multiple remote low-impact generation sites. The attack caused brief communications outages between the control center and the sites, and the field devices at the sites.

The report revealed that the outages lasted for less than five minutes, the reboots of the impacted appliances occurred over a 10-hour timeframe.

The analysis of logs of the firewalls allowed the experts to determine the nature of the reboots and to discover that an “external entity” exploiting a known firewall vulnerability in the network devices to trigger a DoS condition.

The firewall manufacturer offered a firmware update to address the issue, then the entity first tested the patch on a firewall within a non-critical environment, then after verifying that no problems were observed, the entity deployed the firmware patch at an operational generation site.

“After seeing no adverse effects, the entity deployed the firmware patch at an operational generation site that night.” continues the document. “After monitoring traffic in the production environment overnight and early the following morning, the entity deployed the update to all remaining BES assets that had common hardware with the firmware vulnerability.”

NERC states that after completing mitigation operations to address the flaw, the entity conducted an internal assessment to improve internal patch management process to prevent similar incidents in the future.

NERC’s document includes a list of reccomendations to repeal similar attacks in the future.

Pierluigi Paganini

(SecurityAffairs – power utility, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]