SANS: Israel CNI Attack Didn’t Take Out Power Grid

The SANS Institute has tried to dampen press speculation that a major cyber-attack disrupted Israel’s power grid this week, claiming it was actually just ransomware targeting the PCs of a regulator.

The misunderstanding came from comments made by Israel's Minister of Infrastructure, Energy and Water, Yuval Steinitz, who told CyberTech 2016 attendees on Tuesday that a "severe cyber-attack" was ongoing on the Israel National Electric Authority.

Several machines had to be taken offline as a result, he claimed.

However, some reporters assumed that meant the electric grid had been disrupted, a claim countered by Dragos Security founder Robert Lee in an update to his SANS post.

“A cyber analyst in Israel (Eyal Sela) messaged me to add that the media reporting so far is misleading with regards to the context around the incident,” he explained.

“The ‘Israel Electric Authority’ the minister mentioned is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites. The Israeli Electric Authority is a regulatory body of roughly 30 individuals and this ‘cyber-attack’ is only referencing their networks.”

In fact, as some reports from Israel have revealed, the attack was actually a ransomware blitz delivered via email to the regulator’s offices.

“This once again stresses the importance around individuals and media carefully evaluating statements regarding cyber-attacks and infrastructure as they can carry significant weight,” wrote Lee.

To be fair to the original reports, Steinitz described the “virus” attack on the electric authority’s systems as “one of the largest cyber-attacks that we have experienced,” before conflating that with a discussion about the need to prevent attacks on infrastructure which can “paralyze power stations and the whole energy supply chain.”

Critical infrastructure attacks which physically affect the operations of power stations and the like are extremely rare.

Aside from Stuxnet, and the case of a German steelworks facility which was affected in 2014, the only other major example of such an attack has been the recent BlackEnergy campaign which hit Ukrainian power stations.

What’s Hot on Infosecurity Magazine?