The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to U.S. critical infrastructure owners and operators following a recent destructive cyberattack on Poland’s power grid. The alert amplifies findings from Poland’s CERT, which concluded the attack bore significant resemblances to the methods of a Russian government-linked hacking group and targeted a variety of energy facilities, including wind and solar farms.
This advisory highlights the increasing threats to operational technology (OT) and industrial control systems (ICS), which are crucial components in sectors such as energy and manufacturing. CISA’s warning emphasizes the vulnerability of these systems, particularly those accessed through internet-facing edge devices, underscoring the urgency for enhanced cybersecurity measures.
CISA Warns of Cyber Threats to Critical Infrastructure
According to CISA, the cyberattack on Poland’s grid demonstrated a sophisticated approach that targeted these sensitive systems. The attackers gained initial access by exploiting vulnerable edge devices, such as routers and firewalls. Subsequently, they deployed wiper malware, which caused damage to remote terminal units (RTUs) and human machine interfaces (HMIs).
The incident resulted in a loss of view and control between facilities and distribution system operators. Data on HMIs was destroyed, and system firmware on OT devices was corrupted. While the affected renewable energy systems continued their production, the system operator was unable to monitor or control them as intended, underscoring the immediate impact of such attacks.
Implications for U.S. Critical Infrastructure
The attack on Poland’s infrastructure has drawn international attention, with the United Kingdom’s National Cyber Security Centre urging its critical national infrastructure operators to take heed. Jonathon Ellison, director for national resilience at the NCSC, emphasized the need for immediate action to strengthen cybersecurity defenses.
Cybersecurity firm Dragos, which specializes in industrial control systems, identified the attack as a significant development. It represents one of the first major cyberattacks specifically targeting distributed energy resources (DERs), such as smaller wind, solar, and combined heat and power facilities. These systems, unlike more centralized older grid infrastructure, are often more numerous, require extensive remote connectivity, and may not receive the same level of cybersecurity investment, making them attractive targets for sophisticated adversaries.
Poland’s CERT report indicated that the infrastructure utilized in the attack overlapped with that previously associated with the hacking group known by several aliases, including Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly. This attribution suggests a potential state-sponsored or state-linked motive behind the destructive attempt.
CISA’s advisory is part of a broader, ongoing effort to enhance the security of U.S. critical infrastructure. This includes a recent binding operational directive requiring federal agencies to remove unsupported products from their systems, further focusing on the hardening of network perimeters and the protection of interconnected devices. The agency urges all critical infrastructure entities to thoroughly review the Polish report and consult security guidance provided by various U.S. government agencies.
Looking ahead, critical infrastructure operators in the United States are advised to assess their own OT and ICS security postures, paying particular attention to edge device vulnerabilities. The next expected steps would involve implementing recommended security enhancements and bolstering defenses against similar destructive attacks. The full extent to which U.S. infrastructure may be susceptible, and the potential future actions of the identified threat actor, remain areas to watch.