The Department of Energy requires that any US utility notify them within one hour after a successful cyber attack on their system. If the required OE-417 electric disturbance report is not filed, power companies can be fined as much as $2,500 per day! History shows that the Department of Energy has never issued this penalty as of today.
On March 5 of this year, a OE-417 report was filed. It was vague, to say the least, but we do know a DOS attack struck a Western power facility. Luckily, no power went out, and there were no blackouts reported. The DOS attack caused interference with the operations of the facility.
What is a DOS attack?
A DOS attack overwhelms its target with artificial traffic. The intent is usually to overwhelm and cause the target to function in a manner other than it was designed. The DOS attack hopes to create chaos for the target. This particular DOS attack took advantage of a software vulnerability. The Department of Energy stated that the vulnerability was a known one, and that there was a patch that had been made available before the attack occurred.
This DOS attack, according to the Department of Energy, didn’t cause any outages or impact the reliability of the grid. There has been no clarification as to what sort of equipment was affected, whether it be routers, work computers, phones, etc.
Why is this significant?
Due to the limited information about this event, it is hard to know much about the motives behind it. It does not appear to be part of a coordinated hacking campaign, but this is a significant event to take note of!
As of today, no previous known malicious cyber attacks have interfered with US grid operations before. This DOS attack emphasizes the growing concern of DOS attacks worldwide. More and more DOS and DDOS attacks are popping up all over the world. Many tools that were previously only available to government, federal, and state teams have been placed in the hands of criminal organizations and many of the general public also have access to these.
Due to the vagueness of the report, it is unknown which state utility was impacted by the DOS attack.