Senior analyst Tom Donahue told about 300 U.S., U.K., Swedish and Dutch government officials and power company engineers on Friday that cyberattackers targeted several utility companies and demanded ransom.
“We have information, from multiple regions outside the United States, of cyberintrusions into utilities, followed by extortion demands,” Donahue said, according to a SANS statement posted Friday. “We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge.”
Donahue was speaking at the SANS Process Control and SCADA (supervisory control and data acquisition) Summit 2008.
“We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States,” he said. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the internet.”
Donahue did not say which cities were affected by the attack, and for how long power was cut.
George Little, a spokesman for the CIA, told SCMagazineUS.com today that the agency does not plan to release any more details.
“The information that could be shared in a public setting was shared,” Little said. “Those comments were simply designed to highlight to the audience the challenges posed by potential cyberintrusions.”
In the wake of the Sept. 11, 2001 terrorist attacks, IT security experts have pointed to critical U.S. infrastructure, including the power grid, as possible targets for future ambushes - especially as information systems become more interconnected with the internet.
The day before Donahue's announcement, the Federal Energy Regulatory Commission (FERC) approved eight mandatory cybersecurity standards that extend to all entities connected to the nation's power grid.
FERC, the U.S. agency responsible for overseeing electric rates and natural gas pricing, approved the standards, which had been developed by the North American Electric Reliability Corp. in 2006.
The guidelines cover asset identification, management controls, personnel and training, perimeters, physical security, systems management, incident response and reporting and disaster recovery.
At a U.S. House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology hearing in June, a Government Accountability Office (GAO) official warned of future hacks impacting the utilities.
“When the power grid [becomes] completely automated, when the oil and gas [infrastructure becomes] completely automated, we will have a very serious problem on our hands because we do have opponents and they're dedicated,” said Keith Rhodes, chief technologist at GAO.