TL;DR
Malicious actors targeted OT and ICS in Poland’s Energy Sector causing damage to RTUs and HMIs. The incident underscores the need for stronger cybersecurity measures against similar threats targeting vulnerable edge devices.
What happened
['Cyber attack on renewable energy plants, combined heat and power plant, manufacturing sector company', 'Malicious actors accessed through internet-facing edge devices', 'Wiper malware deployed, RTUs damaged']
Why it matters for ops
['Vulnerable edge devices remain primary targets for threat actors', 'Default credentials exploited to pivot onto HMIs and RTUs', 'Critical infrastructure entities with unsupported devices face significant risks']
Mitigation
- Update firmware to allow verification
- Change default passwords immediately
- Enhance incident response plans for potential outages
Action items
- Review CISA's Binding Operational Directive BOD 26-02
- Implement primary mitigations against cyber threats to OT
- Consult CERT Polska’s Energy Sector Incident Report for detailed guidance
Detection IOCs
- Wiper malware deployment
- Loss of view/control between facilities and distribution system operators
- Data destruction on HMIs
- Corruption of OT device firmware