Key Takeaways
1. CISA issued a security alert following a cyberattack on Poland’s renewable energy systems, emphasizing risks from weak internet-connected devices in operational technology (OT).
2. The attack affected around 30 sites of wind and solar power, with tools linked to a Russian-associated threat group.
3. Attackers accessed systems through unpatched edge devices and used wiper malware to damage critical operational technology components.
4. CISA is urging U.S. federal agencies to eliminate unsupported edge devices and strengthen cybersecurity measures in industrial control systems (ICS).
5. Security experts highlight this attack as a significant escalation, specifically targeting distributed energy resources that often have weaker cybersecurity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert after a major cyberattack on Poland’s renewable energy systems. This incident highlights the dangers of weak internet-connected edge devices in operational technology settings.
Details of the Attack
This warning comes after a report from Poland’s Computer Emergency Response Team (CERT-Polska) on January 30, which revealed that a cyber incident in December affected around 30 sites of wind and solar power. The Polish agency indicated that the tools used in the attack were linked to a Russian-associated threat group known by various names, including Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly.
Implications for Industrial Systems
CISA pointed out that this incident illustrates the increasing dangers to industrial control systems (ICS) and operational technology (OT), which are commonly used in energy production, utilities, and manufacturing industries. The agency explained that the attackers first accessed the systems through unpatched or outdated internet-facing edge devices like routers and firewalls.
According to CISA, the attackers used wiper malware that harmed remote terminal units (RTUs), wiped data from human-machine interfaces (HMIs), and compromised the firmware of operational technology devices. While the generation of energy continued, operators temporarily lost the ability to monitor and control the affected installations.
Steps to Mitigate Risks
Recently, CISA has heightened its efforts to mitigate risks related to vulnerable networking devices. Just last week, the agency issued a binding directive mandating U.S. federal agencies to eliminate unsupported edge devices from their networks.
Security experts at Dragos described the attack as a major escalation, noting that it is one of the first known cyber operations that specifically targeted distributed energy resources, including smaller wind, solar, and combined heat-and-power setups. Unlike traditional power plants, these distributed systems depend heavily on remote connections and typically receive less funding for cybersecurity.
Officials from the United Kingdom’s National Cyber Security Centre have also called on operators of critical infrastructure to enhance their protective measures in response to the incident.
CISA recommends that infrastructure operators examine CERT-Polska’s technical findings and adhere to federal advice aimed at reducing vulnerabilities in OT and ICS environments.