In case there was any doubt left out there that attackers–whether state-sponsored or acting on their own–are aiming at high-value targets such as financial systems and large-scale control systems, a CIA analyst late last week told attendees at a conference that the agency has confirmed that a direct computer attack caused a multi-city blackout recently. The analyst, Tom Donahue, did not specify when the attack took place or which cities were affected, but did say it was outside the United States.
In a statement released through The SANS Institute, Donahue said the CIA carefully considered whether to release any information about the incident.
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States,” Donahue said. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
Security experts, government officials and others for years have been speculating about the potential for such an attack, and many experts have said that the computer systems that control water, electric and other utilities are vulnerable to sophisticated cyber attacks. However, there has been little in the way of concrete data or even anecdotal evidence of such attacks, until now. The question now is whether this is an isolated incident or just the first public acknowledgment of a more widespread problem that has been bubbling under the surface for some time. Based on conversations I’ve had with former government security officials and industry experts who track these things, I tend to think it’s the latter. But we’ll probably never know the full size and shape of the problem, given the need for discretion on these topics.