Lessons Learned from a DoS Attack Against a U.S. Power Utility

According to a report by the North American Electric Reliability Corporation (NERC), in March of this year a public electric power utility in the United States was targeted by a cyberattack in which the cybercriminal(s) exploited the utility’s firewall, allowing an unauthenticated attacker to cause unexpected reboots of the devices. “This resulted in a denial of service (DoS) condition at a low-impact control center and multiple remote low-impact generation sites. These unexpected reboots resulted in brief communications outages (i.e., less than five minutes) between field devices at sites and between the sites and the control center.”

Fortunately, on this occasion, no interruption in electrical power occurred. However, this cyber breach is troubling because it shows how vulnerable our power grid could be. The NERC report doesn’t name the utility. However, other reports, such as in Security Affairs, noted that the Department of Energy confirmed that on March 5, 2019, between 9 a.m. and 7 p.m., a cyber event disrupted energy grid operations in California, Wyoming, and Utah.

The NERC report includes a “lessons learned” section that lists generic recommendations, including “Reduce and control your attack surface and follow good industry practices for vulnerability and patch management.” That advice is sound, yet not sufficient. It’s concerning that the recommendations didn’t include the use of dedicated DDoS protection as part of their layered defenses.

DoS vs DDoS

This event was reported as a DoS attack on a firewall vulnerability but, it’s unclear whether this was from a single attacking computer or, actually a Distributed Denial of Service (DDoS) attack, launched using multiple devices. Fortunately, the cybercriminal(s) used an attack vector which, ultimately, only created limited impact; which may be the only reason that the utility was not more adversely affected.

The NERC review notes: “Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software. It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event. Additionally, the entity now utilizes firewall rules that restrict allowable traffic to the minimum required to operate the assets.”

The Myth of Firewall Protection

If, in fact, the utility was relying on only a firewall for protection from attack (DoS, DDoS, ransomware, malware, etc.) it had insufficient protection. Had the cybercriminal(s) chosen to launch a DDoS attack instead, the firewall could have failed just as easily, even if there were no software vulnerabilities to exploit. Even a next generation firewall that claims to have DoS protection built-in cannot deal with all types of attacks. The fact is, firewalls just aren’t able to handle volumetric DDoS attacks. At best a firewall may overload, freeze-up, and shut off all inbound traffic—including good customer traffic along with the bad attack traffic. At worst, a firewall may go into bypass mode and allow all traffic, good and bad, to flow. This puts the rest of the IT infrastructure, as well as its data, at risk.

Cyberattacks perpetrated by criminals, terrorists and cyber activists have reached a level of sophistication that firewalls cannot protect against. Modern firewalls are stateful by design, making them unable to handle large volume DDoS attacks, which easily exhaust their available resources. Firewalls dictate which services may be used, but not how they are used. Attackers know this and calculatedly misuse the allowed services, compromising the firewall and/or its performance and downstream applications.

Any internet-connected organization could be victimized using a DDoS attack, but those providing critical infrastructure, such as energy utilities, should take the maximum possible care to protect their services. They bear a great responsibility to protect their networks because the wellbeing of their customers is at stake. Imagine residential customers who depended on electricity to run home medical devices or home security systems. Or, imagine a whole hospital losing electricity. A few minutes without electricity is merely inconvenient for many, but it can be life-threatening.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.