CISA shares lessons learned from Polish power grid hack – and how to prevent disaster striking again

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance for critical infrastructure operators following attacks on the Polish energy grid. Last month, Poland’s Computer Emergency Response Team (CERT) revealed that it experienced an incident at the end of last year targeting a number of wind and solar farms, a manufacturing firm, and a combined heat and power (CHP) plant supplying heat to nearly half a million customers. The systems targeted were all using default usernames and passwords, and didn't have multi-factor authentication (MFA) enabled. The attackers, believed to be Russian government-backed, were able to exploit this to take over a range of operational technology (OT) control devices, possibly with the intention of shutting systems down. CISA has urged OT owners and operators to take heed in the wake of the incident, warning that many are still using insecure legacy industrial protocols that lack basic authentication and integrity checks. The security agency warned this confluence of issues could enable threat actors to impersonate a device or modify a message in transit to an OT device. While secure versions of industrial protocols have been available for more than twenty years, a variety of barriers have prevented the control systems community from widely adopting these protocols.