Hacker Attacks on Utilities

The CIA’s top cybersecurity analyst made a rare public disclosure at a trade conference Wednesday, saying cyber attackers have breached the computer systems of foreign utility companies. The information was disclosed to participants at the Process Control Security Summit in New Orleans.

The hackers demonstrated the ability to cause blackouts that affected multiple cities. In most cases there were demands for extortion payments before the power was cut off. The cyber attacks all took place outside the U.S. but the CIA did not specify the countries affected, when the incidents occurred, the amount involved, or the duration of the outages. The CIA had reason to believe that in some cases the hackers possessed inside knowledge. All of the attacks were made through the Internet.

Cyber extortion is a growing threat as hackers have shown they can compromise online gambling sites, e-commerce sites and banks and other businesses. More money is involved, as the companies pay to prevent their sites from getting shut down and to keep the public at large from knowing about the successful intrusions into their sites.

The successful attacks on corporate computer systems are estimated to cost companies all over the world $20 billion annually.

The government is said to be concerned about the little-understood risks of cyber attacks on specialized electronic equipment that controls operations in power and water utilities, and chemical plants.

In a test conducted last year, the Department of Homeland Security demonstrated a simulated hacker attack on the computer system controls of a power generator (see Safety Issues article, Sept. 29, 2007). In the test, the big generator shook violently, belched smoke, flew apart and was rendered inoperable. The test showed a dangerous weak point in the supervisory control and data acquisition systems of U.S. utility companies.

In the past decade, utilities, railroads, pipelines and other companies have turned to computers and wireless Internet systems to operate remotely controlled and monitored valves and other mechanisms in their operations. The remote systems have generated substantial savings. Control equipment in main offices can also be accessed more easily by computers from remote locations.

A cybersecurity firm confirmed that in the past 18 months, there have been more focused attacks on national infrastructure networks and these have come from outside the United States. The sources of the attacks are difficult to trace because attackers camouflage themselves by working through several other computer networks.

The U.S. has taken steps to protect the computers that power systems. The Federal Energy Regulatory Commission approved Thursday a set of cybersecurity standards for electric utilities. The mandatory standards include identity and authentication controls, physical security of critical cyber equipment, and incident reporting.