It has been reported that sPower, a Utah-based renewable energy provider, is in the unenvied posture of holding two unwanted titles. First, the company is the first-ever US provider of solar and wind renewable energy to have been the victim of a cyber-attack. Second, the company is the first US power grid operator that is known to have lost connection with its power generation installations as a result of a cyberattack.
Commenting on this, Sam Curry, chief security officer at Cybereason, said “With attackers breaching and disrupting left and right, to say that another “wake up call” has come is stating the obvious. Let’s get specific. The cyber-attack on sPower, the Utah-based solar and wind power utility, is specifically a lesson in anti-fragility and resilience. There’s very little public information here, so attribution isn’t really possible and the motivation of the attacker is unclear. However, it’s clear that a single piece of equipment was the single point of failure between the command center and the power generation machinery and mechanisms. If this had been step one in a more serious attack: followed up with sabotage, coordinated with other organisations being attacked or a number of other activities, the damage and impact could have been much worse. This isn’t a message for just sPower: everyone in the massively interconnected.
2. Ensure that single points of failure are reduced and removed; redundancy is a virtue in business continuity and disaster recovery.
3. Work “right of boom” since with an active human opponent someone will always get through at some point to maintain availability and command and control. If you can weather the storm and preserve ownership of an environment, the public will be much, much safer. This is as true in SmartGrid as in any other part of critical infrastructure.”