"CIA Confirms Cyber Attack Caused Multi-City Power Outage" 18 January, 2008, The SANS Institute at Merit Network Email Archives:
CIA: Hackers Shook Up Power Grids by Noah Shachtman at Danger Room; Noah's got some more on this, including a Washington Poat article and Michael Tanji's take on this.SANS FLASH
CIA Confirms Cyber Attack Caused Multi-City Power Outage
On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
According to Mr. Donohue, the CIA actively and thoroughly considered the
benefits and risks of making this information public, and came down on
the side of disclosure.
More Cyber War Gouge at Defense Tech:
More, including a references link, at the link.The CIA went on to say they suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. The very next day the Federal Energy Regulatory Commission (FERC) approved eight mandatory cyber security standards that extend to all entities connected to the nation's power grid. The following are the eight areas addressed by these standards:
1. Critical cyber asset identification
2. Security management controls
3. Personnel and training
4. Electronic security perimeters
5. Physical security of critical cyber assets
6. System security management
7. Incident reporting and response planning
8. Recovery plans for critical cyber assets
These eight standards were created to increase the security of our CIP and reduce the risk of a successful attack. Disruption of a county’s critical infrastructure would have significant direct and indirect damages. Most of these damages would be psychological, economic and financial. Analysis of a cyber attack on critical infrastructure targets resulted in the following data:
Target value: High
Impact analysis: Elevated
Required skills: Moderate
Attack costs: Low
Current defenses: Moderate (elevated for nuclear sites)
What are these attackers doing this for, simply money? Or something else?
Bookmarks