In March, renewable energy provider sPower was hit by a rare cyberattack that temporarily blinded operators to wind and solar installations. While power distribution was not interrupted, the denial-of-service (DoS) incident prompted a cyber event report to the Department of Energy (DoE), highlighting increased concern around compromised communications.

According to Cyberscoop, the attack happened in March over a period of 12 hours. Operators were repeatedly cut off from a dozen generation sites in five-minute bursts, which rendered them unable to communicate or view the status of wind and solar equipment. Critical industrial control systems (ICS) and power-generation capabilities were not affected, but the incident required DoE emergency alert reporting for a “cyber event that causes interruptions of electrical system operations.”

As ZDNet noted, this attack featured two dubious distinctions: It’s the first time cybercriminals have targeted the IT infrastructure of a U.S. solar and wind provider and the first time a cyberattack on U.S. soil has compromised connections with power installations.

Testing the Waters? Or Just a Case of Bad Luck?

Threat actors exploited a known firewall vulnerability to create a DoS attack that severed contact between power stations and sPower staff. Over the course of the 12 hours, the company lost contact with a dozen generation sites, but there was no evidence of additional breaches beyond the initial compromise and no direct impact on operations. According to E&E News, communication outages of up to half an hour aren’t uncommon between operators and generators — outages and IT glitches often interrupt connections but don’t lead to power disruptions or blackouts.

In the case of sPower, however, two security concerns surfaced. First, this rare cyberattack was just bad luck — a combination of public-facing firewall equipment and hackers looking to exploit known vulnerabilities. Support for this theory comes from the lack of follow-up. Beyond short-term communication blackouts, there were no attempts to compromise ICS or SCADA systems further. This is worrisome given the ease of DoS distribution, since attackers were able to effectively blind a large-scale energy provider by accident.

It’s also possible that malicious actors were testing the waters to determine where utility companies are vulnerable. If so, this kind of renewable reconnaissance could be the precursor to larger-scale, higher-impact attacks on solar and wind sites, especially as power generation and consumption ramp up.

How to Power Up Industrial Control System Security

To help defend against both targeted and speculative attacks, utility companies should prioritize timely patch management and security testing.

The recommended remedy for sPower’s security breach is updating firmware. With control systems and cybersecurity measures increasingly dependent on public-facing cloud services and storage, it’s critical for utility providers to prioritize patch management.

Organizations should also regularly test for potential weaknesses in control system structures to determine if they’re too trusting or whether they permit access without proper credentialing. While testing and deploying new security updates may affect day-to-day operations in the short term, the long-tail consequences of unpatched vulnerabilities can be substantial.

More from

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers.According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately infected…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…