For the first time, the United States suffered an attack on the power grid. According to a report released by the North American Electric Reliability Corp., the strike created blind spots at a grid control center and at several small power generation sites in the Western United States.
The intrusion did not cause any blackouts; instead, the attack lasted for roughly five minutes and caused signal outages at the “low impact” control centers. Although the attack on March fifth was rather small, it was severe enough to report to the Department of Energy. Further, the occurrence marks the first time on record that a “cyber event” occurred on the U.S. power grid.
According to the report, the case offered a stark demonstration of the risks U.S. power utilities face as their critical control networks become more digitized and interconnected. Also, the attack came at a time when just two months before the event, the previous Director of National Intelligence, Dan Coats, warned that Russian hackers were capable of disrupting electricity for at least a few hours.
However, the attack on March fifth was simple; it was not anything like the attacks in Ukraine, which suffered massive blackouts in the dead of winter before this event. The cyber-attack hit web portals and firewalls in use at the undisclosed locations. Further, the hacker may or may not have even realized that the online interface was linked to parts of the power grid in California, Utah, and Wyoming.
“So far, I don’t see any evidence that this was really targeted,” said Reid Wightman, senior vulnerability analyst at industrial cyber-security firm Dragos Inc. “This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie,” he said, using a term for an unskilled hacker.
Even still, the attack raised eyebrows at multiple federal agencies, the ones which are collectively responsible for keeping the lights on in the face of cyber and physical threats.
NERC, DOE, the Federal Energy Regulatory Commission and the Western Electricity Coordinating Council, which monitors and enforces grid security in the western United States, have all declined to share the name of the utility involved in the March fifth incident or other details that they warn could jeopardize the reliability of the grid.
“Lessons learned are an anonymized resource that identifies the lessons and contains sufficient information to understand the issues, and show the desired outcome,” NERC spokeswoman Kimberly Mielcarek said in an emailed response to questions, adding that the documents can be based on a “single event” or general trends.