CISA shares lessons learned from Polish power grid hack – and how to prevent disaster striking again

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance for critical infrastructure operators following attacks on the Polish energy grid.

Last month, Poland’s Computer Emergency Response Team (CERT) revealed that it experienced an incident at the end of last year targeting a number of wind and solar farms, a manufacturing firm, and a combined heat and power (CHP) plant supplying heat to nearly half a million customers.

The systems targeted were all using default usernames and passwords, and didn't have multi-factor authentication (MFA) enabled. The attackers, believed to be Russian government-backed, were able to exploit this to take over a range of operational technology (OT) control devices, possibly with the intention of shutting systems down.

CISA has urged OT owners and operators to take heed in the wake of the incident, warning that many are still using insecure legacy industrial protocols that lack basic authentication and integrity checks.

The security agency warned this confluence of issues could enable threat actors to impersonate a device or modify a message in transit to an OT device.

While secure versions of industrial protocols have been available for more than twenty years, a variety of barriers have prevented the control systems community from widely adopting these protocols.

“Adopting secure communications in OT environments is a long-term effort with complexities, costs and risks. Over the past year, CISA conducted customer-led research to create this secure communication guide,” said CISA acting director Madhu Gottumukkala.

“CISA encourages asset owners and operators, system integrators, service providers, and OT manufacturers to review this guide and collaborate together to implement secure communication.”

What the CISA guidance covers

The guide points out the continuing vulnerability of edge devices, warning organizations to change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future.

It aims to help organizations deal with cost and complexity issues through procurement, deployment, and maintenance, as well as latency and bandwidth concerns, inspection issues from encryption, and interoperability and legacy product issues.

"The case illustrates how attackers are capable of chaining initial access through poorly hardened perimeter devices into deep lateral movement across ICS/OT networks, ultimately achieving physical equipment damage and significant data loss," said Steve Povolny, vice president of AI strategy and security research at Exabeam.

"The advisory is a call to action to prioritize edge security, rigorous network segmentation, strong identity practices, and real-time anomaly detection in OT environments, because the next compromise may not be as survivable as this one proved to be."

The report follows a similar warning from the UK's National Cyber Security Centre (NCSC), which has also produced guidance for critical infrastructure organisations amidst rising threats.

"Risk management, identity and access controls, and threat hunting are all key components of meeting the objectives of the latest iteration," said Jonathan Ellison, director for National Resilience at the NCSC.

"The Cyber Security and Resilience Bill, currently in Parliament, will also strengthen the regulatory framework for key sectors, including the energy sector."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.