The U.S. utility industry may have just experienced its first malicious “cyber event”—or at least the first such event to be reported.
In March, an anonymous utility in the Western region of the country filed an “Electric Emergency and Disturbance Report” with the Department of Energy (DOE). The utility stated a “cyber event that causes interruptions of electrical system operations” occurred on March 5 from 9:12 a.m. until 6:57 p.m., in some of its service areas across multiple states. However, no loss of power occurred, and no customers were affected, according to the report.
E&E News reporter Blake Sobczak spotted the utility’s report on the DOE's Office of Cybersecurity, Energy Security & Emergency Response. The report, which Sobczak characterizes as vague, and several sources Sobczak does not name said the event was a “denial-of-service” attack that disabled Cisco Adaptive Security Appliance devices ringing power grid control systems for the affected locations.
While all utilities servicing those states contacted by Sobczak denied they filed the report, sources told him the hack most likely resulted in a temporary loss of visibility to parts of the utility’s supervisory control and data acquisition system.
In a May 4 interview with NPR, Sobczak explained the nature of the denial-of-service attack that “basically led operators to not be able to see what was going on in the grid.”
“So, it’s sort of like driving with blinders on,” he told NPR. “As long as nothing crazy happens, you should be fine, but it certainly constitutes a disruption and a reportable event here to the Department of Energy.”
Sobczak also said that, so far, it’s not known if the hacker was an individual from a foreign country such as Russia or the doings of “sophisticated nation state-backed spies.”
“It really could have been somebody with a fairly rudimentary understanding of how to launch this type of attack,” he said. “The hacker or hackers knew what they were doing and were able to actually find a particular flaw in this network equipment and send a certain type of packet or string of data to really make it stop working.”
According to Utility Dive, the North American Electric Reliability Corporation (NERC), in conjunction with the Federal Energy Regulatory Commission and Western Electricity Coordinating Council, is now conducting a “root cause analysis” to determine the cause of the March 5 cyber event.
While regulators have broadened the criteria necessary to trigger mandatory self-reporting of a cyber event by utilities, the lack of transparency surrounding this event is leading some to call for reform on the part of utilities and NERC.