35+ Years of Freedom of Information Action

Attackers Trigger Firewall Reboot to Briefly Interrupt Power Company Network

Power grid
Published: Oct 31, 2019

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

FOIA declassification sheds light on March 2019 attack on renewable energy grid

A May 2019 report by Blake Sobczak at E&E news revealed that a Western power utility company was hit with a denial of service attack on March 5 2019. The report stated that the attack did not result in power disruptions, but few other details were available. From that report the National Security Archive and Sobczak independently filed FOIA requests for OE-417 (Electric Emergency Incident and Disturbance Report) documents related to the event. OE-417 reports are submitted to the Department of Energy after events which impact or could potentially impact the availability or reliability of power networks.

The request produced four documents: An OE-417 emergency alert, an OE-417 update, a follow-up email, and a OE-417 final alert. The documents reveal that the company affected was sPower, a renewable energy company owned by AES and AIMCo. The network outage was caused by an attack targeting a known vulnerability to cause Cisco firewalls to reboot. The reboot caused a short (around 5 minutes) interruption to communication between the control center and remote sites. sPower subsequently installed a Cisco firmware update to patch the vulnerability.

While this event was not linked to a power outage, these new details highlight the potential for relatively simple attacks leveraging known vulnerabilities to impact critical infrastructure. 

The E&E reporting from these documents can be found here.