Cyber-security incident at US power grid entity linked to unpatched firewalls