A recent cyberattack on Poland’s energy grid should put all critical infrastructure operators on notice about the risks of insecure edge devices, the Cybersecurity and Infrastructure Security Agency said on Tuesday.
In an alert highlighting Poland’s report on the December incident — which nearly crippled power in part of the country during a very cold period — CISA noted that the hackers initially breached the system “through vulnerable internet-facing edge devices” before deploying wiper malware that damaged operational technology.
“The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT” and industrial control systems, said CISA, which last week ordered federal agencies to start disconnecting insecure edge devices.
The attack began in late December, when a threat actor logged into internet-exposed FortiGate security devices that lacked multifactor authentication, likely with reused passwords. From there, they accessed a range of OT control devices using accounts with default login credentials. In some cases, those accounts had permission to modify the devices’ firmware, which let the hackers corrupt the devices’ operating code. In other cases, the hackers deleted essential system files or reconfigured firewall rules to allow further sabotage.
The targeted Polish wind and solar farms used OT control devices from multiple companies, including Hitachi, Mikronika and Moxa, but all of the devices used default passwords.
The resulting sabotage “caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices,” CISA said. “While the affected renewable energy systems continued production, the system operator could not control or monitor them by their intended design.”
Poland attributed the attack to the Russian government hacker team Berserk Bear, which is housed within Moscow’s Federal Security Service (FSB), while ESET blamed Sandworm, a unit of Russia’s GRU military intelligence agency.
Takeaways for OT asset operators
CISA’s advisory listed several lessons from the incident, including the continuing vulnerability of edge devices, the danger of default passwords and the need to enable firmware verification on OT devices.
“Operators should immediately change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future,” the agency warned.
CISA, along with the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), urged critical infrastructure operators to review Poland’s advisory, a recent U.S. fact sheet on OT security and the Energy Department’s own cyber threat advisories.
The British government also used the incident to put the critical infrastructure community on notice.
“Incidents like this speak to the severity of the cyber threat and highlight the necessity of strong cyber defences and resilience,” Jonathon Ellison, a senior official at the U.K.’s National Cyber Security Centre, wrote on LinkedIn on Monday. “Operators of UK critical national infrastructure (CNI) must not only take note but, as we have said before, act now.”
