Highlights
– CIA reveals that hackers disrupted power generation in several foreign cities
– Although the method of attack was not revealed, it is likely that the attacker exploited one or more vulnerabilities in a Supervisory Control and Data Acquisition (SCADA) system
– We believe attacks against SCADA systems will increase
On January 16, 2008 at a SANS Institute security conference in New Orleans, Louisiana a Senior Central Intelligence Agency (CIA) Analyst stated, “we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands.” The conference, which was a gathering of 300 US, Swedish and Dutch government officials, engineers and security managers, highlighted the threat posed by systems disruptions of major utilities providers.
According to the CIA analyst, the disruption threat is actually a very real occurrence, as he stated, “we suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions were through the Internet.”
Attacking SCADA
Although the details of these incidents are few, it is reasonable to assume that the alleged attackers were able to identify and exploit a vulnerability in a Supervisory Control and Data Acquisition (SCADA) device. SCADA are hardware and software systems used to gather data and enable the distributed operation of an industrial process – such as power generation, sewage treatment, oil and gas refining, and many other service systems industries.
Previous Warnings
Previous documented attacks against SCADA systems include an attack on the Maroochy Shire wastewater system in Queensland, Australia. In this incident, a disgruntled ex-contractor exploited his insider knowledge of the SCADA system to leak thousands of pounds of sewage onto the grounds of a nearby hotel (source).
Additionally, a test performed in March 2007 and sponsored by the Department of Homeland Security (DHS) demonstrated how a vulnerability in a SCADA system could be exploited to disable a power generator (source).
Further, studies published by the British Columbia Institute of Technology (BCIT) show that the number of incidents that effect SCADA and other industrial control systems have increased since 2001. Although this study did not conclude whether the increase in documented attacks is due to an actual increase in attacks or an increase in vigilance and reporting of attacks, this latest incident in which hackers disabled a power generation system and extorted the system operators for a payoff demonstrate that malicious actors have developed a means to profit from attacks against SCADA systems.
Outlook
These previous examples coupled with the CIA analyst’s warnings indicate that attacks against SCADA systems should no longer be considered an over the horizon threat.
Instead, we believe the introduction of a financial incentive to target these systems accelerates the likelihood that hackers will continue to develop new attacks against these critical systems. Finally, we also believe these attacks should be taken seriously as a vulnerable SCADA system could be exploited by any number of hostile actors including hackers, criminals, terrorists, or rival nation-states for illicit intent.