Owned by AES and AIMCo, sPower bills itself as the United States’ largest private owner of operating solar assets. Though there was no loss of generation, the March cyberattack impacted the company’s visibility into about 500 MW of wind and PV across California, Utah and Wyoming.
The attack is widely being called the “first” on renewable generators, though it is not clear the grid intrusion was entirely intentional. Attackers exploited a known vulnerability in an unpatched Cisco firewall, causing a series of reboots over 12 hours. But intruders did not press the attack further and E&Ereports it is unclear they understood the firewall was connected to the energy grid.
Security experts say the attack is a wake-up call for the electric sector and a sign that clear vulnerabilities remain.
“The news begs a bigger question about cybersecurity regulations for the energy industry,” Phil Neray, vice president of security firm CyberX, said in an email. “The manner in which it was carried out was very basic — exposing some essential weaknesses in the way energy companies currently patch and monitor their network devices.”
Utilities must do basic security maintenance
CyberX released a report last month that concluded utility networks and unmanaged devices are “soft targets for adversaries.” Many utilities use outdated operating systems and unencrypted passwords that leave them vulnerable, the firm found.
That means in some instances utilities are not even maintaining the most basic of protection: keeping systems up to date.
“The simplicity of this attack should make generators sit up and take notice.”
Jason Haward-Grau
Chief information security officer, PAS Global
Neray said the grid is made vulnerable by network appliances like the ones that were compromised in the attack on sPower: directly exposed to the internet, unpatched and with limited malware capabilities. “We’ve seen attackers go after unpatched network devices in the past,” he said.
The March 5 attack is “one more example …. that cyber risk in the industrial space is not only real, but operant,” Jason Haward-Grau, chief information security officer at cyber firm PAS Global, said in an email.
“The simplicity of this attack should make generators sit up and take notice,” Haward-Grau said. “This was a ‘simple’ IT attack on an unpatched firewall, which was still vulnerable, in spite of the patch being available.”