In March, renewable energy provider sPower was hit by a rare cyberattack that temporarily blinded operators to wind and solar installations. While power distribution was not interrupted, the denial-of-service (DoS) incident prompted a cyber event report to the Department of Energy (DoE), highlighting increased concern around compromised communications.
According to Cyberscoop, the attack happened in March over a period of 12 hours. Operators were repeatedly cut off from a dozen generation sites in five-minute bursts, which rendered them unable to communicate or view the status of wind and solar equipment. Critical industrial control systems (ICS) and power-generation capabilities were not affected, but the incident required DoE emergency alert reporting for a “cyber event that causes interruptions of electrical system operations.”
As ZDNet noted, this attack featured two dubious distinctions: It’s the first time cybercriminals have targeted the IT infrastructure of a U.S. solar and wind provider and the first time a cyberattack on U.S. soil has compromised connections with power installations.
Testing the Waters? Or Just a Case of Bad Luck?
Threat actors exploited a known firewall vulnerability to create a DoS attack that severed contact between power stations and sPower staff. Over the course of the 12 hours, the company lost contact with a dozen generation sites, but there was no evidence of additional breaches beyond the initial compromise and no direct impact on operations. According to E&E News, communication outages of up to half an hour aren’t uncommon between operators and generators — outages and IT glitches often interrupt connections but don’t lead to power disruptions or blackouts.
In the case of sPower, however, two security concerns surfaced. First, this rare cyberattack was just bad luck — a combination of public-facing firewall equipment and hackers looking to exploit known vulnerabilities. Support for this theory comes from the lack of follow-up. Beyond short-term communication blackouts, there were no attempts to compromise ICS or SCADA systems further. This is worrisome given the ease of DoS distribution, since attackers were able to effectively blind a large-scale energy provider by accident.
It’s also possible that malicious actors were testing the waters to determine where utility companies are vulnerable. If so, this kind of renewable reconnaissance could be the precursor to larger-scale, higher-impact attacks on solar and wind sites, especially as power generation and consumption ramp up.
How to Power Up Industrial Control System Security
To help defend against both targeted and speculative attacks, utility companies should prioritize timely patch management and security testing.
The recommended remedy for sPower’s security breach is updating firmware. With control systems and cybersecurity measures increasingly dependent on public-facing cloud services and storage, it’s critical for utility providers to prioritize patch management.
Organizations should also regularly test for potential weaknesses in control system structures to determine if they’re too trusting or whether they permit access without proper credentialing. While testing and deploying new security updates may affect day-to-day operations in the short term, the long-tail consequences of unpatched vulnerabilities can be substantial.