RSS Alerts

Related Stories

  • Grading Obama on Cybersecurity
    Early in his term, President Obama promised to address the issue of cybersecurity by continuing and even expanding upon the efforts of the previous administration. Lauren Moraski surveys experts in the field, providing an assessment of the job the new president is doing so far to address this issue
    Members' Content
  • Using Information Security to Protect Critical National Infrastructure: Energy Sector is Hackers’ Biggest Target
    The oil and gas industries are natural targets for cyber-criminals due to sensitive data and very deep pockets. With the introduction of newer IT technologies, such as wireless and even social networking, the jobs of the information security teams are not getting any easier. John Sterlicchi reports
  • Look After Your SCADA Heart
    Critical national infrastructures such as the National Grid, water and other utility networks have SCADA technology at their heart, but how are these systems protected against hacker, malware and terrorist attacks? Steve Gold spoke to the major players in this important, but little-understood, side of the security industry
  • Inspector General identifies key deficiencies in US cybersecurity response
    The Department of Homeland Security’s Inspector General testified before Congress yesterday and provided an update on US-CERT’s efforts to improve cybersecurity, while also identifying many key points where the department is still falling short.
  • Senate introduces sweeping cybersecurity bill
    Late last week Senator Joe Lieberman, along with other ranking members of the Senate Committee on Homeland Security, introduced a comprehensive bill designed to strengthen the nation’s networks and critical infrastructure against cyberattacks while expanding presidential powers to combat the threats.

News

CIA claims hackers attack global power grid

25 January 2008

The US Central Intelligence Agency (CIA) says criminals hacked into the computer systems of utilities, cutting the power to several international cities.

Speaking at the SANS Process Control and SCADA (supervisory control and data acquisition) Summit 2008, CIA cybersecurity analyst Tom Donahue told attendees that the attackers made demands of the utilities and in one case caused a power outage that affected multiple cities.

“We have information, from multiple regions outside the US, of cyber intrusions into utilities, followed by extortion demands,” Donahue told an audience of about 300 US and international security officials from governments as well as electric, water, oil and gas companies. “We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge.”

According to Donahue, all the attacks involved intrusion through the internet and the goal of the attacks was extortion. He did not specify which countries were affected by the attack, when the outages took place or for how long power was cut.

“We do not know who executed these attacks or why,” Donahue said.

He indicated the CIA actively and thoroughly considered the benefits and risks of making this information public and “came down on the side of disclosure.”

According to some estimates, cyber attackers continue to make increasingly sophisticated intrusions into corporate computer systems, with costs worldwide climbing to roughly $20 billion each year.

Alan Paller, director of the SANS Institute, said hackers have in the past two years successfully penetrated and extorted multiple utility companies that use SCADA systems.

“Donahue would not have said it publicly if he didn’t think the threat was very large and that companies needed to fix things right now,” he told The Washington Post.

A CIA spokesperson declined to provide additional details, saying that “the information that could be shared in a public setting was shared.”

Meanwhile, on January 17, the US Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches.

The eight standards address topics that include Critical Cyber Asset Identification; Security Management Controls; Personnel and Training; Electronic Security Perimeters and Physical Security of Critical Cyber Assets.

Systems Security Management; Incident Reporting and Response Planning and Recovery Plans for Critical Cyber Assets are the remaining three standards.

The mandatory standards require certain users, owners and operators of the bulk power system to setup policies, plans and procedures that maintain physical and electronic access to control systems.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water