Earlier this year, news broke of a security breach at a North American power grid body, with commentators suggesting that the incident was not as serious as first thought.
According to a report published by the North American Electric Reliability Corporation (NERC), lessons had been learnt from the intrusion which saw hackers cause firewalls to repeatedly reboot for around ten hours on 5th March 2019.
A number of power generation areas run by a “low-impact” operator had their firewalls impacted by the cyber-strike, which did not have any subsequent adverse effect upon electricity supplies in surrounding areas.
Network perimeter firewalls bore the brunt of the assault; firewalls went offline for periods of up to five minutes on March 5th. The reboots were dragged out for hours, raising a flag of suspicion to technicians working at the victim power grids and prompting official investigations.
“Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability,” NERC stated.
The power grid operator found that the attacks had been inadvertently enabled because of a failure to apply firmware updates to the affected firewalls. The incessant reboots prevented the operator from deploying adequate protection patches.
The security shortfall was blamed on inadequate firmware review processes which were needed to vet security updates prior to deployment. While efforts were being made to standardise the process, the work had not been finished in time. A subsequent congestion of firmware updates remained, none of which had been properly reviewed or implemented.
The episode did not provoke a major security breach, but that did not stop NERC from placing emphasis on the March attacks in a bid to highlight how many companies are neglecting to deploy firmware updates regularly, and how vulnerabilities in IT frameworks are appearing as a result.
Within its private report, NERC has detailed a number of recommendations concerning the upkeep of firewalls, as follows:
- Follow good industry practices for vulnerability and patch management.
- Reduce and control your attack surface (have as few internet-facing devices as possible).
- Use VPNs (virtual private networks).
- Use access control lists (ACLs) to filter inbound traffic prior to handling by the firewall; minimize the traffic through a denial by default configuration with whitelisting for the allowed and expected IP addresses. Limit outbound traffic similarly for information security purposes.
- Layer defences. It is harder to penetrate a screening router, a virtual private network terminator, and a firewall in series than just a firewall (assuming the ACLs and other configurations are appropriate).
- Segment your network. Restrict lateral communication to necessary and expected traffic to reduce the impact of a breach.
- Know your exploitable vulnerabilities so you can pursue fixes.
- Monitor your network.
- Employ redundant solutions to provide resilience and on-line maintenance capabilities.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.