More megawatts, more problems: solar power denial of service attack

Share

In the world of geopolitics, we probe the weaknesses of those that can hurt us. Not necessarily to attack other parties, but to know these weaknesses – to have them in our back pocket – in case moments of complexity arise, and leverage is necessary. This is the nature of humanity.

On March 5, 2019, major solar and wind asset owner sPower engineers saw “brief communication outages” between their centralized monitoring center and several wind and solar power plants. The company looked further into it and found that the firewall – security hardware used to manage information flows into and out of computer systems – had been rebooting. sPower contacted the hardware manufacturer, Cisco, and found that the reboots were caused by denial of service (DoS) attacks, the practice of overloading computer connections by sending large volumes of data to said connection. These attacks started just after 9 AM MST, and continuing until almost 7 PM MST. The attacks were able to exploit a known vulnerability, and it was soon thereafter patched. No additional attacks have been noted, and sPower stated – after viewing computer logs – that no intrusions were detected.

EE News first reported on the DoS when it occurred. The publisher filed a Freedom of Information (FOI) request for data on the attack, and was recently given this PDF.

There is no public evidence yet suggesting the source of the attacks. As well, sPower says the attack caused no downtime or system issues, other than not being able to see ongoing operations at the site.

But this is definitely not the first time this issue has surfaced. pv magazine USA recently reported on the Federal Energy Regulatory Commission (FERC) is launching a two-part review of U.S. grid cybersecurity, prompted by a 20-month U.S. General Accounting Office (GAO) analysis.

Website Securelink reported on Russian intrusions into the nuclear power industry. The Department of Homeland Security was able to recreate a screenshot (above image) taken by these hackers. It was noted that When exiting systems, Russian actors took efforts to delete applications they used, erase their tracks and clear event logs relating to remote services, audit, and much more.

And while the United States hasn’t publicly stated that any of its hardware has borne physical consequences of a hack, there have absolutely been examples globally. The most well known being the Stuxnet virus aimed at the Iranian nuclear power industry. The virus was able to get into a system disconnected from the internet  – in security terms this is called an “air gap” – via memory sticks. It then Targeted the nation’s industrial control systems, infecting over 200,000 computers and caused 1,000 machines to physically degrade.

In Ukraine, during Russia’s invasion of Crimea in order to allow it to hold onto important military bases, tools were deployed allowed hackers to take control of SCADA systems, leading to opened breakers at some 30 distribution substations in the capital city Kiev and western Ivano-Frankivsk region, causing more than 200,000 consumers to lose power.

Recently, the NYTimes recently reported on the deployment of American computer code inside Russia’s grid and other targets.