“Denial-of-Service Condition” Impacts US Energy Company
A “denial-of-service condition” has reportedly impacted a US energy company that provides power to many western states. TechCrunch reports, “An energy company providing power in several western U.S. states experienced a “denial-of-service condition” serious enough to warrant reporting it to the government’s energy authority.”
The report, by TechCrunch security editor Zack Whittaker, further says that the incident had led to interruption of electrical system operations for over 10 hours on March 5. This information is as per an electric emergency and disturbance report that has been filed with the Department of Energy by the affected company.
The first report about this incident came out in E&E news on April 30. The report says, “A “cyber event” interrupted grid operations in parts of the western United States last month, according to a cryptic report posted by the Department of Energy…The March 5 incident lasted from 9 a.m. until nearly 7 p.m. but didn’t lead to a power outage, based on a brief summary of the electric disturbance report filed by the victim utility.”
E&E News reporter Blake Sobczak, who has filed the report, however, observes, “If remote hackers interfered with grid networks in California, Utah and Wyoming, as the DOE filing suggests, the event would be unprecedented. A cyberattack is not known to have ever disrupted the flow of electricity anywhere in the United States, though Russian hackers briefly cut off power to parts of Ukraine in 2015 and again in 2016.”
He also explains that as per the Department of Energy, a “cyber event” is broadly defined as any disruption that is caused to an electrical system or grid communication network and which is caused by unauthorized access to hardware, software or data. So, there is also a possibility that it’s a utility employee or a trespasser, and not a remote hacker, who triggered this particular “cyber event”.
The name of the energy company hasn’t been disclosed, but the electrical disturbance report mentions that it’s the WECC (Western Electricity Coordinating Council) region and that the areas affected are Kern County and Los Angeles County in the state of California, Salt Lake County in the state of Utah and the Converse County in Wyoming. The report mentions the alert criteria as “Cyber event that causes interruptions of electrical system operations.”
As per existing regulations, U.S. utilities must notify the Department of Energy within one hour of any successful cyberattack. Failing to file an OE-417 electric disturbance report could invite a fine of up to $2,500 per day. The DOE hasn’t till date issued any civil or criminal penalties related to this.
While the DEO hasn’t commented on the incident, the Federal Energy Regulatory Commission reportedly has admitted to being aware of the situation, at the same time declining to share any additional information. The North American Electric Reliability Corp. and the Western Electricity Coordinating Council too haven’t shared details.
The E&E News report says, “WECC’s events analysis team “confirmed it was a single entity involved,” Communications Manager Julie Booth said in an email. “For security purposes, we cannot disclose any further information beyond what has already been made public.” The TechCrunch report, quoting a DOE spokesperson, clarifies that the cyberattack didn’t impact generation and the reliability of the grid, and didn’t cause any kind of customer outages.