The Google Cache of the NERC report (I’m posting the news article because at the time of my post the NERC site was showing a SharePoint error) also has some interesting bits:
A vulnerability in the web interface of a vendor’s firewall was exploited, allowing an unauthenticated attacker to cause unexpected reboots of the devices. This resulted in a denial of service (DoS)1 condition at a low-impact control center and multiple remote low-impact generation sites. These unexpected reboots resulted in brief communications outages (i.e., less than five minutes) between field devices at sites and between the sites and the control center
Basically, it reads like some actor had mapped infrastructure for a “registered entity,” basically, large power generators, users, &c., found a known issue in the firewalls, and used it to reboot things a few times. The “lessons learnt” section of the NERC report is also interesting, although most registered entities should be following NERC’s CIP standards for cyber security. Interesting stuff, I’d love to see pcaps or logs for it.