A recent destructive cyberattack targeting Poland’s power grid has led the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning for critical infrastructure owners and operators in the U.S.
The alert from CISA follows a January 30 report by Poland’s Computer Emergency Response Team. This report indicated that the December attack, which targeted 30 wind and photovoltaic farms, among other facilities, showed significant overlap with infrastructure utilized by a Russian government-linked hacking group.
CISA stated its warning aimed to “amplify” the findings of the Polish report. Specifically, the agency highlighted the threats posed to operational technology (OT) and industrial control systems (ICS), which are prevalent in the energy and manufacturing sectors.
This CISA alert aligns with the agency’s ongoing emphasis on securing edge devices, such as routers and firewalls. This focus was reinforced by a binding operational directive issued last week, instructing federal agencies to remove unsupported products from their systems.
The CISA alert emphasizes that “The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS.”
The alert further detailed that “A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs).” It also noted that “The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them by their intended design.”
CISA advised owners and operators to examine the Polish report and relevant security guidance from other U.S. agencies.
The attack on Poland, which the Polish CERT described as “deliberate arson” with a “purely destructive objective” during a period of cold temperatures and snowstorms, has drawn attention globally.
Jonathon Ellison, director for national resilience at the United Kingdom’s National Cyber Security Centre, stated in a LinkedIn post that “Operators of UK critical national infrastructure (CNI) must not only take note but, as we have said before, act now.”
Dragos, a cybersecurity firm specializing in industrial control systems, characterized the attack as a new frontier in cyber threats.
In a recent report, Dragos noted, “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP [combined heat and power] facilities being added to grids worldwide.” The report added, “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.”
Poland’s analysis determined that the infrastructure involved in the attack shared characteristics with that used by a hacking group known by various names, including Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly.
