CIA Confirms Cyber Attack Caused Multi-City Power OutageBy: Beau Woods
In the movie "Live Free or Die Hard", street-wise cop John McClain battles it out with the bad guys using computers to carry out their crimes. In this movie, we are introduced to a term called a "Fire Sale" where hackers take out critical systems to cause chaos. It is literally a movie plot terror threat, and seems pretty unlikely to happen outside of the theaters.
But late last week we got news of a similar scenario being carried out in foreign countries. Cyber criminals extorting public utilities with threats of taking down the facility. It seems that in at least one case, the attackers made good on their threats, affecting multiple cities. The Daily Mail of London indicates that these attacks have been carried out as near as "Central and South American countries including Mexico".
Given what I know about SCADA systems from reading public documents and making some guesses based on my experiences, I'd say it's entirely plausible that unauthorized access could be gained to these systems. While the speech mentions utilities outside the US, I wouldn't be surprised if there are unauthorized users inside some American public utility companies. And we know that SCADA systems have been compromised before. Both with and without "insider information". Just recently, a 15 year old kid was able to take control of city trams in Lodz, Poland, with an IR remote control and caused one car to jump the tracks and hit another tram.
One set of regulations, NERC-CIP, was passed, ironically, the day before the big Northeast blackout of 2003. It's ironic because the outage may have been exacerbated, by systems failing to perform as they were intended because of the Blaster worm. Recently some SCADA systems were put through a well publicized attack scenario where the adversarial team gained full control and was able to damage physical equipment in the scenario.
Organized crime has been doing this kind of thing for years, operating by extorting companies for "protection money". The difference here is that someone around the world can threaten and carry out these attacks. Cyber criminals have been known to extort companies in other industries. A type of malicious software called "ransomware" encrypts or steals documents from your hard drive and extorts you to get the data back. Hiding one's tracks is only slightly easier (you have to deliver the money somewhere), but where it's really different is that the attacker never has to set foot in the jurisdiction of the place where the action is carried out. He can be sitting in a cafe in a non extradition country.
Will we see this kind of extortion happening in the US? I doubt it. Cyber criminals need to be able to get away with the money. Disrupting the American power grid would cause too much attention to be put on them from the wrong people those who could and would spare no expense to make sure they were caught. As Hans Gruber says in the original "Die Hard" movie, "When you steal $600, you can just disappear. But when you steal $600 million, they will find you." In other words, the higher value your target, the more that will be invested to track down the attackers.
SCADA systems have traditionally been more impervious because they are arcane. But as this 2006 SANS webcast and this Information Week article indicate, in the last few years SCADA systems have been connected to the Internet and wireless networks, and have been transitioning to Windows architecture. In other words, many systems run on a platform that attackers know well and are connected to systems which allow greater external access. So the lesson is clear that anyone running SCADA systems needs to be especially diligent in protecting them.