What happened to the US grid on March 5?
- May 9, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid, Vulnerabilities
Something out of the ordinary happened on the U.S. power grid on March 5, 2019.
Was it a cyberattack — and should you be worried?
Update: A denial of service attack hit solar and wind energy developer sPower, based in Salt Lake City, on March 5, causing communications outages for 12 hours, reported E&E News on October 31.
Hackers shut off the lights in the cold of winter in Ukraine in a cyberattack — not once, but twice, blacking out power to thousands of people in 2015 and 2016.
Now headlines report a cyberattack on the U.S. power grid on March 5.
But experts say this latest incident is different.
“Ukraine is a targeted attack that was intent with taking the power out to everyday people, to customers, electric customers,” said Chris Sistrunk, a security consultant with FireEye who focuses on industrial control systems.
“They got down to the control systems that allow the operators to control the grid. And then they did malicious things where they could turn off breakers and turn off the power,” he added.
The cyber event in California, Utah and Wyoming on March 5 did not succeed in shutting off power.
And that may not have even been the goal, Sistrunk said.
“I wouldn’t say that it’s a targeted attack, attempting to take out power to people here in the U.S.,” he said. “I think it’s like something exposed in your front yard, on the street, and someone’s going around checking your mailbox to see if it’s locked or not.”
The Department of Energy gave few details about the event that “disrupted electrical systems operations” at a power company from 9:12 AM to 6:57 PM on March 5.
It affected Los Angeles County and Kern County, Salt Lake County and Converse County in Wyoming.
A DOE official told Archer News that the problem was a “denial of service condition.”
A denial of service attack is where attackers bombard your network with web traffic, so much traffic that it can’t function.
But a denial of service condition could be something else — as simple as a device crashing.
“Like a blue screen of death,” Sistrunk explained. “You might have heard of that. That can be considered a denial of service vulnerability.”
Known Security Hole
DOE said in a statement sent to Archer News that the event is “related to a known vulnerability that required a previously published software update to mitigate.”
That means someone had already found a security hole in the past, the device maker reported it and came up with a patch for it, but the power company may not have applied that patch.
Device in Question
E&E News reports the device in question is a Cisco Adaptive Security Appliance, which serves as a firewall and VPN or virtual private network, according to Cisco.
It also has a long list of vulnerability alerts.
One of the alerts references March 5th, saying, “On March 5, 2019, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild.”
The advisory says an attacker could not only cause a denial of service condition, but could also potentially view sensitive system information.
Hackers were using this same vulnerability — labeled CVE-2018-0296 — on the Cisco Adaptive Security Appliance in June of 2018 to crash devices or get sensitive information, according to a report from Bleeping Computer last year.
Archer News asked Cisco if this advisory was connected to the March 5 cyber event that hit California, Utah and Wyoming.
Cisco told us it does not comment on customer information.
What Went Down?
“It’s really hard to say what really happened,” said K. Reid Wightman, a senior vulnerability researcher with security company Dragos. “They [DOE] are pretty tight-lipped about it.”
He said without more information, we don’t know if the incident was a true attack or something like an internal test or random scan.
“Maybe somebody was scanning the entire Internet and they stumbled across this thing. They may not have known what they were doing,” he explained.
With the denial of service condition, the power company may have lost some visibility into its network for a while, but that wouldn’t trigger a blackout, experts said.
“That doesn’t mean the power grid is going to go down, just because the network connectivity is down,” Sistrunk said.
And though patching is important, they said utilities can’t always patch right away because it could accidentally take down their systems — which would indeed cause an outage.
Industrial companies often test patches before they deploy them, and then may need to wait for a the right window, Wightman said.
“It’s typical to wait at least a few months,” Wightman said. “For actual industrial products, it might be a year, because they might not be able to patch, just because they can’t afford downtime.”
Should You Worry?
“I wouldn’t worry about it too much,” Wightman said. “I think the utilities involved are learning from lessons from it. Probably, they’re going to do a better job in the future. At least I hope so.”
Still, cyberattacks can cause problems for power companies in the U.S.
In 2003, for example, the Slammer worm that took down a safety system at a power plant and control systems at a separate utility, reports said.
The Department of Homeland Security warned energy companies last year that the Russians were probing the U.S. electric grid.
And, ultimately, this March 5th incident could turn out to be serious.
But for now, this latest cyber event caused far less trouble to the U.S. power grid in March than squirrels, who left hundreds of people in the dark in four states — in some cases, quite dramatically — from Washington to Massachusetts.
Many hope it stays that way.
“So far, we haven’t had any outages in the U.S. due to cyberattack,” Sistrunk said.
This incident may be a good reminder to do a better job of patching, Wightman said.
“Oh, for sure,” he said. “Especially on those perimeter systems, a VPN connection, for example, where somebody remote is going to be connecting to this service.”
Utilities need to constantly review their defenses, Sistrunk advised.
A key part of that — looking at what devices and systems they have and if those devices and systems have vulnerabilities.
“First, they have to make sure they know what they have that’s out there,” he said. “Then they’ll be able to patch it accordingly if there’s a new update.”
That is a big task, as many companies have thousands of devices.
“Gone are the days of being able to keep everything in one set of notebooks or a giant spreadsheet,” Sistrunk said.