The Google Cache of the NERC report (I’m posting the news article because at the time of my post the NERC site was showing a SharePoint error) also has some interesting bits:
A vulnerability in the web interface of a vendor’s firewall was exploited, allowing an unauthenticated attacker to cause unexpected reboots of the devices. This resulted in a denial of service (DoS)1 condition at a low-impact control center and multiple remote low-impact generation sites. These unexpected reboots resulted in brief communications outages (i.e., less than five minutes) between field devices at sites and between the sites and the control center
Basically, it reads like some actor had mapped infrastructure for a “registered entity,” basically, large power generators, users, &c., found a known issue in the firewalls, and used it to reboot things a few times. The “lessons learnt” section of the NERC report is also interesting, although most registered entities should be following NERC’s CIP standards for cyber security. Interesting stuff, I’d love to see pcaps or logs for it.
“A registered entity with a low-impact control center experienced brief (i.e., less than five minutes) outages of internet-facing firewalls that controlled communications between the control center and multiple remote generation sites and between equipment on these sites. The affected firewalls were all perimeter devices that served as the outer security layer. These outages had no impact to generation.”
That’s it? Somebody was able to reboot some unpatched firewalls and that constitutes the first ever cyberattack against the US power grid?
The article quotes a security analyst who suggests it was probably just an automated scan, and there’s no indication that the attackers even knew what they were poking at. According to the article there are exploits available for the vulnerability the attacker uncovered, yet the attacker didn’t attempt to gain a foothold or do anything beyond rebooting a few firewalls.
Odd targets.
This is probably similar to credit card scammers testing card validity by making a small purchase before the real thing. Lower visibility and a smaller chance of getting caught before the real attack. If this had actually brought down an entire state in America, you can bet it wouldn’t be in the lower half of the frontpage on Lobsters.
Who knows how many other attacks have gone unnoticed in the past because of this.