CIA: Utilities threatened by cyber attacks

Published 22 January 2008

CIA says U.S. utilities are at risk for cyber attack; security experts said the CIA’s acknowledgment of the problem indicates how seriously they are taking it, as CIA policy had been not to disclose such things

The nation’s utilities are at risk for cyber attack, the CIA’s top cybersecurity expert, Tom Donahue, told a gathering of utility security experts, the Washington Post reported. Attackers have hacked into utility companies’ computer systems overseas, in one case causing a power outage that affected multiple cities. “We do not know who executed these attacks or why, but all involved intrusions through the Internet,” Donahue said at a trade conference in New Orleans. “We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge.” The hackers are using the attacks to demand money from utilities.

Security experts said the CIA’s acknowledgment of the problem indicates how seriously they are taking it. CIA policy had been not to disclose such things. “The CIA wouldn’t have changed its policy on disclosure if it wasn’t important,” Alan Paller, research director at the SANS Institute, told the Post. “Donahue wouldn’t have said it publicly if he didn’t think the threat was very large and that companies needed to fix things right now.” Andrew Storms, director of security operations for nCircle Network Security, said that “these statements of threats and risks to the nation’s infrastructure are not new. In private meetings with the CIA and FBI, information-security personnel have heard time and time again that the nation’s utility systems are at risk and are a likely target by cyber attackers,” he said.

The key concern with utility security is centered on SCADA devices, Storms said. A SCADA system is a computer that monitors real-time controls for utility systems. “These are the computers that acquire data and control the physical workings of damns, power plants, water-treatment systems and almost every modern manufacturing plant,” Storms explained. The problem is that utilities are not applying best-practices network security to these highly networked systems. “They have been relatively left behind when it comes to normal information-security practices,” Storms said. “Oftentimes they rely on legacy hardware or software, providing no tools to apply modern security practices.” In addition, “attempts to modify the workings of the devices to apply security controls bears too much risk in itself that plants oftentimes rely on other risk-mitigation patterns,” he said.

Ralph Logan, principal of the Logan Group, a cybersecurity firm, confirmed to the Post that IT security measures are less than stellar in the utility industry. “Often there are authentication methods [at utilities] that are less than secure,” Logan said. “Sometimes there are no authentication methods.” Logan said he suspects the attacks are launched from foreign government and military computers, not by terrorists, although it is difficult to tell because they worm their way in through several systems. “In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck,” Logan said. “Now they can read it from headquarters. But it allows attackers a gateway into the system.”