A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week.
In a report highlighting the "lessons learned" from a past incident, NERC said hackers repeatedly caused firewalls to reboot for about ten hours, on March 5, 2019.
The incident impacted firewalls deployed at multiple power generation sites operated by a "low-impact" operator and did not cause any disruption in the electric power supply.
The incident only impacted network perimeter firewalls, which, on March 5, were mysteriously going down for periods of up to five minutes. The firewall reboots continued for hours, prompting the power grid operator to start an investigation.
"Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability," NERC said.
The power grid operator eventually discovered that they had failed to apply firmware updates for the firewalls that were under attack. The reboots stopped after the operator deployed the proper patches.
The operator blamed its failure to apply the firewall security updates on the lack of a proper firmware review process to vet security updates before being deployed. Work was being done on standardizing such process, but the procedure had not been ready in time, resulting in a bottleneck of firmware updates not being reviewed and deployed.
The incident didn't result in a major intrusion; however, NERC intentionally highlighted the March 2019 attacks in order to draw attention to the fact that many companies may not be deploying firmware updates in a timely manner, resulting in security holes being opened on their networks.
NERC lays out a series of recommendations on dealing with firewalls and patches in its private report. A copy of this report was obtained by E&E News reporters, who first broke the story over the weekend.
A quick summary of these recommendations are below, but we recommend reading the entire set in the report: