While regulators and those in the utility industry have been talking for over a decade, the first actual hacking of a utility by an outsider occurred on March 5, 2019, and was officially reported by the North American Electric Reliability Corporation (NERC) in a "Lessons Learned" report on September 4.
NERC reported that, in March, a cyber event occurred at an unnamed utility in the western United States that caused the utility to temporarily lose visibility of certain parts of their system.
An external entity (who has not yet been identified) gained access to the utility's system by exploiting a known firewall vulnerability at one of the utility's vendors, allowing the attacker to trigger unexpected reboots of the utility's devices. These reboots resulted in a number of communications outages between the utility's field devices and its control center, each of which lasted less than five minutes, but taking place over the course of ten hours. The interruptions led to a "denial of service (DoS) condition at a low-impact control center and multiple remote low-impact generation sites." However, according to NERC, the interruptions did not impact actual generation.
According to NERC, this was the first time that remote hackers have interfered with the U.S. electric grid.
NERC's investigation of the incident was able to identify the cause of the intrusion, but not the source.
In its Lessons Learned paper, NERC urged utilities to:
- Follow good industry practices for vulnerability and patch management.
- Reduce and control your attack surface.
- Use virtual private networks
- Use access control lists (ACLs) to filter inbound traffic prior to handling by the firewall; minimize the traffic through a denial by default configuration while whitelisting for the allowed and unexpected IP address. Limit outbound traffic similarly for information security purposes.
- Layer defenses. It is harder to penetrate a screening router, a virtual private network terminator, and a firewall in series than just a firewall (assuming the ACLs and other configurations are appropriate).
- Segment your network. Restrict lateral communication to necessary and expected traffic to reduce the impact of a breach.
- Know your exploitable vulnerabilities so you can pursue fixes.
- Monitor your network.
- Employ redundant solutions to provide resilience and on-line maintenance capabilities.