Cyber-security incident at US power grid entity linked to unpatched firewalls

Hackers used a DoS flaw to reboot firewalls at an electric power grid operator for hours.
Written by Catalin Cimpanu, Contributor

A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week.

In a report highlighting the "lessons learned" from a past incident, NERC said hackers repeatedly caused firewalls to reboot for about ten hours, on March 5, 2019.

The incident impacted firewalls deployed at multiple power generation sites operated by a "low-impact" operator and did not cause any disruption in the electric power supply.

The incident only impacted network perimeter firewalls, which, on March 5, were mysteriously going down for periods of up to five minutes. The firewall reboots continued for hours, prompting the power grid operator to start an investigation.

"Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability," NERC said.

The power grid operator eventually discovered that they had failed to apply firmware updates for the firewalls that were under attack. The reboots stopped after the operator deployed the proper patches.

The operator blamed its failure to apply the firewall security updates on the lack of a proper firmware review process to vet security updates before being deployed. Work was being done on standardizing such process, but the procedure had not been ready in time, resulting in a bottleneck of firmware updates not being reviewed and deployed.

The incident didn't result in a major intrusion; however, NERC intentionally highlighted the March 2019 attacks in order to draw attention to the fact that many companies may not be deploying firmware updates in a timely manner, resulting in security holes being opened on their networks.

NERC lays out a series of recommendations on dealing with firewalls and patches in its private report. A copy of this report was obtained by E&E News reporters, who first broke the story over the weekend.

A quick summary of these recommendations are below, but we recommend reading the entire set in the report:

  • Follow good industry practices for vulnerability and patch management.
  • Reduce and control your attack surface (have as few internet-facing devices as possible).
  • Use VPNs (virtual private networks).
  • Use access control lists (ACLs) to filter inbound traffic prior to handling by the firewall; minimize the traffic through a denial by default configuration with whitelisting for the allowed and expected IP addresses. Limit outbound traffic similarly for information security purposes.
  • Layer defenses. It is harder to penetrate a screening router, a virtual private network terminator, and a firewall in series than just a firewall (assuming the ACLs and other configurations are appropriate).
  • Segment your network. Restrict lateral communication to necessary and expected traffic to reduce the impact of a breach.
  • Know your exploitable vulnerabilities so you can pursue fixes.
  • Monitor your network.
  • Employ redundant solutions to provide resilience and on-line maintenance capabilities.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards