Over the past several weeks, more details of the March cyberbat on Western American energy grid providers have been revealed, reminding me how important in-depth and timely incident reporting is to the continued safety of our wholesale electric system. It is particularly important that the level of inflammation of cyber threats is aimed at our growing interconnected grid.
To be clear, there was no blackout, and it has not been determined whether it was a targeted attack. Nevertheless, the attackers were able to take advantage of the firewall vulnerabilities of many Western American grid operators for 10 hours between 9:12 a.m. and 6:57 a.m. on March 5, the incident leading to periodic “blind spots” in the grid provider’s operations. Caused and also disrupted electrical system operations in Kern County, California and Converse County, Wyoming.
It should be noted that the March visit is the first known event, which is the reason for such disruption in the grid provider’s operations. However, as the May CNBC story on the incident suggests, “operation” does not refer to electrical distribution to consumers – but may refer to computer systems used within utilities, including office functions or operational software. Huh.
This can be seen as a denial-of-service attack (which is preventive).
However, as it was a somewhat successful event, it calls into question whether utilities are prepared for a more sophisticated attack, as the US government has warned.
As the attack on an undisclosed Western American utility by North American Electric Reliability Corp. (NERC) seems to suggest, the firewall contained a defect that could have been avoided through better patch management. Nevertheless, NERC should be commended for the way the incident unfolded, and the grid community should be provided a report on the lessons learned.
About DDoS attacks
Distributed cyber service (DDoS) attacks are common in today’s cyber scenario. They are similar to other types of DoS attacks, but the primary difference is traffic shutting down servers or systems that originate from multiple sources – rather than one. The distribution of attacks across multiple sources increases potential damage and makes it more difficult to close; It is also difficult to identify the malicious party behind the attack.
DDoS attacks work when different sources align with each other, often through botnets. A botnet is a combined network of hijacked Internet-connected systems or devices that are remotely controlled as a group. Hackers often use them to send spam or phishing emails or to uncover banking details. However, they are an important part of DDoS attacks. Some hackers also offer botnets for hire, which may harm unskilled cyber criminals.
With DDoS attacks, attackers often find out how to cause the most damage through impeccable time.
Over the past several years, everything from HSBC Bank and Xbox to PlayStation has been targeted and usually at the worst possible time, such as a major holiday. Even during the more mundane timeframe it can be killed, which was when HSBC was affected.
While previous DDoS attacks have not yet affected critical infrastructure,
it has become clear the level of success that can be achieved and why they should be monitored. Fortunately, the Western American utilities network’s March incident was small in scale and did not include a major control center, which limited the disruption.
Whether or not the attack was successful, bulk electric system (BES) operators must remind themselves of their new responsibility to report cyber security incidents that attempt to compromise a responsible entity’s electronic security perimeter or surveillance system.
CIP-008-6, which calls for reducing the risk for reliable operation of a BES as a result of a cybersecurity incident by specifying incident response requirements,
closed a major gap in its prior incident reporting requirement. Until CIP-008-6, it was only necessary to report genuine compromised or interrupted reliability functions. As the security currency of our grid providers matures, ongoing reporting and even unsuccessful agreement sharing can only strengthen the BES ecosystem.
With the increase in the volume and complexity of cyberbat in core IT infrastructure, companies should continuously develop their cyber security currencies. Start now by being smart on the latest threat universe – and how it can affect you.