VANCOUVER, British Columbia — Staff from the Electricity Information Sharing and Analysis Center (E-ISAC) said last month’s CrowdStrike outage and the resulting global business disruptions represented a “real world look at what a really bad day” could result from a potential cyberattack on critical infrastructure.
Speaking to members of the NERC Board of Trustees’ Technology and Security Committee during its open meeting, E-ISAC Vice President of Security Operations and Intelligence Matt Duncan said that while the outage caused no threats to grid reliability, it “forced entities around the world to look at how they could operate [during] such an outage.”
Angus Willis, NERC’s director of information technology infrastructure and support, confirmed that “none of [NERC’s] internal or external systems were affected” by the incident.
The CrowdStrike outage began on July 19 after independent cybersecurity firm CrowdStrike released an update for its Falcon software. According to CrowdStrike’s analysis of the incident, the update, which affected “certain Windows hosts,” contained a critical bug that led host systems to crash.
CrowdStrike’s update threw companies around the world into chaos as key systems locked up. Thousands of flights were canceled, with Delta Air Lines alone claiming that it lost $380 million in revenue from refunds and compensation payments to customers. Companies in the health care and banking sectors also reported losses of more than $1.9 billion and $1.15 billion respectively, with the total cost of the incident estimated at more than $5 billion.
All this disruption resulted from an error rather than a deliberate cyberattack, E-ISAC staff noted, with Duncan likening the incident to “a cyber hurricane.” However, the outage still required a response, from which lessons can be drawn. Affected entities spent “a significant amount of time and resources restoring their internal systems,” and in many cases companies had to activate their business continuity plans.
While the electricity sector was not directly affected by the CrowdStrike outage, the E-ISAC was actively monitoring the fallout as it developed, Duncan said. He mentioned the first reports of problems with the Falcon software were received during an unrelated event late at night, but by morning it was clear “that it was something that needed to be dealt with.”
The E-ISAC worked with the Department of Energy, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other stakeholders to determine the extent of the outage, and then put out an All Points Bulletin once the incident was known to be “not malicious, but still extremely impactful.” The subsequent weeks gave stakeholders a chance to evaluate their responses and how their plans held up against real stresses.
“I think this was honestly fortunate, if I can be so bold, because much like a GridEx scenario, this gave us a real-world look at what a really bad day [a] cyber, physical or even an IT outage attack would look like,” Duncan said, referring to the E-ISAC’s biennial continent-wide grid security exercise.
Duncan observed that CISA Director Jen Easterly has made similar remarks. At this month’s Black Hat cybersecurity conference in Las Vegas, Easterly called the business disruptions and resulting response a “dress rehearsal” for a potential cyberattack and compared the impact of the outage to the potential effects of the Volt Typhoon malware that the agency has attributed to China. (See CISA Highlights China Threat in 2024 Priorities Report.)
E-ISAC CEO Manny Cancel also credited CrowdStrike’s management for their quick and transparent actions throughout the incident. The company actively engaged with Microsoft early in the outage to make patches available to customers as quickly as possible.
“They took ownership of the problem right way. They said, ‘This was a mistake that we made,’ and then provided corrective action,” Cancel said. “That’s setting the bar for future events, and hopefully we don’t have them. … We’re seeing DHS call for this kind of transparency from software vendors. So we wish it didn’t happen, but really, CrowdStrike handled it very, very well.”