In March, renewable energy provider sPower was hit by a rare cyberattack that temporarily blinded operators to wind and solar installations. While power distribution was not interrupted, the denial-of-service (DoS) incident prompted a cyber event report to the Department of Energy (DoE), highlighting increased concern around compromised communications.

According to Cyberscoop, the attack happened in March over a period of 12 hours. Operators were repeatedly cut off from a dozen generation sites in five-minute bursts, which rendered them unable to communicate or view the status of wind and solar equipment. Critical industrial control systems (ICS) and power-generation capabilities were not affected, but the incident required DoE emergency alert reporting for a “cyber event that causes interruptions of electrical system operations.”

As ZDNet noted, this attack featured two dubious distinctions: It’s the first time cybercriminals have targeted the IT infrastructure of a U.S. solar and wind provider and the first time a cyberattack on U.S. soil has compromised connections with power installations.

Testing the Waters? Or Just a Case of Bad Luck?

Threat actors exploited a known firewall vulnerability to create a DoS attack that severed contact between power stations and sPower staff. Over the course of the 12 hours, the company lost contact with a dozen generation sites, but there was no evidence of additional breaches beyond the initial compromise and no direct impact on operations. According to E&E News, communication outages of up to half an hour aren’t uncommon between operators and generators — outages and IT glitches often interrupt connections but don’t lead to power disruptions or blackouts.

In the case of sPower, however, two security concerns surfaced. First, this rare cyberattack was just bad luck — a combination of public-facing firewall equipment and hackers looking to exploit known vulnerabilities. Support for this theory comes from the lack of follow-up. Beyond short-term communication blackouts, there were no attempts to compromise ICS or SCADA systems further. This is worrisome given the ease of DoS distribution, since attackers were able to effectively blind a large-scale energy provider by accident.

It’s also possible that malicious actors were testing the waters to determine where utility companies are vulnerable. If so, this kind of renewable reconnaissance could be the precursor to larger-scale, higher-impact attacks on solar and wind sites, especially as power generation and consumption ramp up.

How to Power Up Industrial Control System Security

To help defend against both targeted and speculative attacks, utility companies should prioritize timely patch management and security testing.

The recommended remedy for sPower’s security breach is updating firmware. With control systems and cybersecurity measures increasingly dependent on public-facing cloud services and storage, it’s critical for utility providers to prioritize patch management.

Organizations should also regularly test for potential weaknesses in control system structures to determine if they’re too trusting or whether they permit access without proper credentialing. While testing and deploying new security updates may affect day-to-day operations in the short term, the long-tail consequences of unpatched vulnerabilities can be substantial.

More from

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…