A CIA analyst speaking at the SANS 2008 SCADA and Process Control Summit in New Orleans has admitted that hackers have not only been able to penetrate the power grids of several countries, but also successfully cut power to several cities, all from the relative safety of the Internet.
Central Intelligence Agency analyst Tom Donahue was quick to point out that all the attacks were external to the United States, but not so quick to provide specifics of the incidents. According to reports Donahue claimed the objective was simple criminal extortion rather than being driven by a terrorist agenda. Conference organisers, the SANS Institute, posted a statement by Donahue which stated that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." The SANS Institute added that according to Mr Donahue the CIA "actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure."
According to Brian Contos, Chief Security Officer at Arcsight which is an active member of all these cybersecurity consortia, there are a whole host of projects underway in the US to ensure that such penetration of national infrastructure utility services is made as difficult as possible:
- Project LOGIIC has been created to minimise the opportunity for a cyber attack to severely damage America's oil and gas infrastructure.
- DATES is a Department of Energy initiative to integrate technologically-advanced controls and cyber-security devices into the electricity grid and energy infrastructure.
- I3P is bringing together various national organisations to make use of the cross-disciplinary research available to ensure that control systems used in critical national infrastructures are made more resilient to attack and just as importantly allow for a more rapid recovery if any attack proved to be successful.
And finally, the Federal Energy Regulatory Commission (FERC) has approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation's bulk power system against potential disruptions from cyber security breaches. FERC Chairman Joseph T. Kelliher says it has achieved a milestone "by adopting the first mandatory and enforceable reliability standards that address cyber security concerns on the bulk power system in the United States.The electric industry now can move on to the implementation of the standards in conjunction with improvement of these standards in order to increase the security and reliability of the bulk power system."
The eight CIP reliability standards address the following topics:
- Critical Cyber Asset Identification
- Security Management Controls
- Personnel and Training
- Electronic Security Perimeters
- Physical Security of Critical Cyber Assets
- Systems Security Management
- Incident Reporting and Response Planning
- Recovery Plans for Critical Cyber Assets