In May of 2019, the U.S. power grid experienced another attack. A series of unpatched Cisco Adaptive Security Appliances belonging to a western electric utility provider suddenly began repeatedly rebooting – for over ten hours. These firewalls were on the outer security layer of the network, and as a result of the continued rebooting, local network services came to a halt. This type of attack is known as a Denial of Service (DoS) attack.The electric utility provider and device manufacturer both began combing through logs and network traffic, but they soon
realized that the problem was not a hardware malfunction, but that the network was under direct attack. Subsequent analysis revealed that an attacker was exploiting a known vulnerability in an old version of Cisco’s firewall. The attack triggered all vulnerable devices to continuously reboot, rendering them inoperable.
The electric utility provider was able to issue patches to the affected devices and stop further attacks from being successful. While electricity transmission and delivery were not adversely affected, this attack is the furthest intrusion into the U.S. grid by a cyber attacker. Had the attacker chained another exploit together with this attack, the entire network could have been completely compromised, leading to a take-over by a hostile entity. A damaging cyber attack on the U.S. grid would be catastrophic to the public, as well as financially crippling to the victim organization.
How could this have been prevented? A mature vulnerability risk management program would have allowed the electric utility provider to identify, prioritize, patch, and track all assets and third-party risks in their network as well as remain compliance with NERC regulations. After the firewalls were updated, the electric utility provider implemented a patch management program. In a September 2019 report on the incident NERC stated, “It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event.” NERC recently fined an entity $10 million for more than 120 similar security violations over four years.
In addition to a risk management program, proper load-balancing of firewalls and other network devices on critical infrastructure allows network traffic to continue to flow in the event one device becomes inoperable. Also, Access Control Lists (ACLs) allow firewalls to deny access to any device not on a whitelist. These are a few of the many actions an organization can take to harden its security posture. The strategy of combining multiple layers of security protocols along every step is known as a “defense-in-depth” approach to security. By having multiple layers of security, from policy down through firmware patching, an organization can begin to secure their networks and assets.