By Jill R. Aitoro
January 18, 2008
Hackers have targeted computers that operate power companies worldwide,
causing at least one widespread electricity outage, a Central
Intelligence Agency senior analyst told North American government and
public works representatives in New Orleans this week.
The SANS Institute, a nonprofit cybersecurity research organization in
Bethesda, Md., planned to release a report late Friday quoting CIA
senior analyst Tom Donohue, who spoke Jan. 16 to 300 government
officials, engineers and security managers from electric, water, oil and
gas, and other utility companies based in the United States, United
Kingdom, Sweden and Netherlands.
"We have information, from multiple regions outside the United States,
of cyber intrusions into utilities, followed by extortion demands,"
Donohue said at the SCADA 2008 Control System Security Summit in New
Orleans. SCADA stands for Supervisory Control and Data Acquisition, and
generally refers to the systems that control critical U.S.
"We suspect, but cannot confirm, that some of these attackers had the
benefit of inside knowledge," he said. "We have information that
cyberattacks have been used to disrupt power equipment in several
regions outside the United States. In at least one case, the disruption
caused a power outage affecting multiple cities. We do not know who
executed these attacks or why, but all involved intrusions through the
The news comes only three months after a congressional hearing that
determined regulations to protect the control systems that support power
plants in the United States pose a serious threat to the electricity
infrastructure and national security.
The threat of cyberattacks on public utilities is a top concern for the
Homeland Security Department, which works closely with the Multi-State
Information Sharing and Analysis Center, or MS-ISAC, to provide a
central resource for gathering and sharing information from state and
local governments on cyber threats to critical infrastructure.
DHS is working with utilities and other companies that operate the
nation's critical infrastructure, such as transportation and
telecommunications companies, to develop a plan to respond to
cyberattacks that could affect private sector computer networks. In
2006, DHS held the first national cyber exercise to determine how the
federal government and corporations running the nation's infrastructure
would respond to a cyberattack. Security experts criticized the exercise
for not determining basic procedures, such as whether the federal
government or the private sector was in charge of issuing responses.
Congress also has expressed concern over the cybersecurity of utility
companies. In October, the House Homeland Security Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology held a
hearing prompted by a simulation that highlighted vulnerabilities in the
computer networks that run water, power and chemical plants. In the
test, conducted last March, researchers from the Idaho National
Laboratories simulated a cyberattack on a power plant's control system
that caused a generator to self-destruct.
Government and industry experts who testified at the hearing cited flaws
in regulations set by the North American Electric Reliability
Corporation, which is charged with improving the reliability and
security of the bulk of the power systems in North America through the
development and enforcement of reliability standards. Recognizing
weaknesses in these standards, the National Institute of Standards and
Technology released recommendations of its own for the IT security of
networked digital control systems used in industrial applications.
Subscribe to InfoSec News