The SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., planned to release a report late Friday quoting CIA senior analyst Tom Donohue, who spoke Jan. 16 to 300 government officials, engineers and security managers from electric, water, oil and gas, and other utility companies based in the United States, United Kingdom, Sweden and Netherlands.
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," Donohue said at the SCADA 2008 Control System Security Summit in New Orleans. SCADA stands for Supervisory Control and Data Acquisition, and generally refers to the systems that control critical U.S. infrastructure.
"We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge," he said. "We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
The news comes only three months after a congressional hearing that determined regulations to protect the control systems that support power plants in the United States pose a serious threat to the electricity infrastructure and national security.
The threat of cyberattacks on public utilities is a top concern for the Homeland Security Department, which works closely with the Multi-State Information Sharing and Analysis Center, or MS-ISAC, to provide a central resource for gathering and sharing information from state and local governments on cyber threats to critical infrastructure.
DHS is working with utilities and other companies that operate the nation's critical infrastructure, such as transportation and telecommunications companies, to develop a plan to respond to cyberattacks that could affect private sector computer networks. In 2006, DHS held the first national cyber exercise to determine how the federal government and corporations running the nation's infrastructure would respond to a cyberattack. Security experts criticized the exercise for not determining basic procedures, such as whether the federal government or the private sector was in charge of issuing responses.
Congress also has expressed concern over the cybersecurity of utility companies. In October, the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology held a hearing prompted by a simulation that highlighted vulnerabilities in the computer networks that run water, power and chemical plants. In the test, conducted last March, researchers from the Idaho National Laboratories simulated a cyberattack on a power plant's control system that caused a generator to self-destruct.
Government and industry experts who testified at the hearing cited flaws in regulations set by the North American Electric Reliability Corporation, which is charged with improving the reliability and security of the bulk of the power systems in North America through the development and enforcement of reliability standards. Recognizing weaknesses in these standards, the National Institute of Standards and Technology released recommendations of its own for the IT security of networked digital control systems used in industrial applications.