Alan Paller of SANS has been talking about cyber extortion attempts of utility companies for over a year now, and we now have Tom Donahue, a CIA-rep, on the record.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

The problem is there is so little information and ambiguity that is impossible to draw conclusions. It’s even harder when you reread the CIA quote closely and realize what was not said.

  • The first two sentences of the quote deal with extortion attempts on US Utilities. There is no information on whether this extortion had anything to do with their control systems. A more typical case would be an attacker gained access to their customer records or business systems. Personal customer data for identity theft and other fraud is a lucrative target for criminals as multiple news stories with detail and documented examples show. I always worry when an important, clarifying fact like whether this extortion was related to power production, transmission or distribution is missing from a story. We may simply be getting detail on another large company being attacked rather than anything related to the power systems.
  • The second two sentences deal with a successful attack causing a power outage outside of the US. Was there any evidence that this was the goal or that there was some control system specific aspect to the attack? Was it a worm that got into the control system network from the enterprise? Was it part of a widespread attack targeting large IP address ranges that happened to get to and knock down an insecure power related control system. Simply put was it an attack on a power SCADA or DCS or was it a general attack that happened to take out the control system?

We were not at the SANS event last week and perhaps there was additional information that clarifies this foggy picture. If so, please add your comment.