On September 4, 2019, the North American Electric Reliability Corporation (“NERC”) published a Lessons Learned report (“Report”) analyzing a March 5, 2019 cybersecurity incident that caused brief communications outages across several states.  NERC also provided guidance on how to avoid the firewall firmware vulnerabilities that made the cybersecurity incident possible.

In the Report, NERC detailed how a registered entity experienced brief outages of internet-facing firewalls which affected the communications between the entity’s low-impact control center and multiple remote generation sites.  These outages were discovered to have been caused by an external entity exploiting a known vulnerability in the firewalls.  Further, there had been a firmware update released prior to the event that was intended to address the vulnerability.  The registered entity took corrective actions to remedy the vulnerability and reduce the likelihood of such an event occurring again.

For the lessons learned of the Report, NERC recommended that registered entities aim to:

1. Follow good industry practices for vulnerability and patch management, including the close monitoring of vendor firmware releases;
2. Have as few internet-facing devices as possible to reduce the number of attack targets;
3. Use virtual private networks;
4. Use access control lists to filter inbound traffic prior to handling by the firewall;
5. Limit outbound traffic;
6. Use a series of layers of defenses, including using screening routers, virtual private network terminators, and firewalls;
7. Segment internal networks;
8. Stay updated on exploitable vulnerabilities by using available resources such as the National Vulnerability Database, SANS Internet Storm Center, Exploit Database, the National Cybersecurity Assessment and Technical Services program, and the Electricity Information Sharing and Analysis Center (“E-ISAC”);
9. Monitor networks and report attacks to E-ISAC; and
10. Use redundant solutions to provide resilience and on-line maintenance capabilities.

A copy of the Report is available here.