Speaking at the SANS Process Control and SCADA (supervisory control and data acquisition) Summit 2008, CIA cybersecurity analyst Tom Donahue told attendees that the attackers made demands of the utilities and in one case caused a power outage that affected multiple cities.
“We have information, from multiple regions outside the US, of cyber intrusions into utilities, followed by extortion demands,” Donahue told an audience of about 300 US and international security officials from governments as well as electric, water, oil and gas companies. “We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge.”
According to Donahue, all the attacks involved intrusion through the internet and the goal of the attacks was extortion. He did not specify which countries were affected by the attack, when the outages took place or for how long power was cut.
“We do not know who executed these attacks or why,” Donahue said.
He indicated the CIA actively and thoroughly considered the benefits and risks of making this information public and “came down on the side of disclosure.”
According to some estimates, cyber attackers continue to make increasingly sophisticated intrusions into corporate computer systems, with costs worldwide climbing to roughly $20 billion each year.
Alan Paller, director of the SANS Institute, said hackers have in the past two years successfully penetrated and extorted multiple utility companies that use SCADA systems.
“Donahue would not have said it publicly if he didn’t think the threat was very large and that companies needed to fix things right now,” he told The Washington Post.
A CIA spokesperson declined to provide additional details, saying that “the information that could be shared in a public setting was shared.”
Meanwhile, on January 17, the US Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches.
The eight standards address topics that include Critical Cyber Asset Identification; Security Management Controls; Personnel and Training; Electronic Security Perimeters and Physical Security of Critical Cyber Assets.
Systems Security Management; Incident Reporting and Response Planning and Recovery Plans for Critical Cyber Assets are the remaining three standards.
The mandatory standards require certain users, owners and operators of the bulk power system to setup policies, plans and procedures that maintain physical and electronic access to control systems.