A cyber attack in December that caused a shutdown of a portion of Ukraine’s electricity grid crossed a “Rubicon” in that it took offline critical infrastructure that civilian populations rely on, a senior Department of Homeland Security (DHS) official said on Wednesday.

The blackout that hit in western Ukraine on Dec. 23 “was the first cyber attack bringing down critical infrastructure upon which civilian populations depend,” Suzanne Spaulding, under secretary for the National Protection and Programs Directorate at DHS, said at a cyber security forum hosted by New America.

DHS Under Secretary for the National Protections and Programs Directorate Suzanne Spaulding. Photo: DHS
DHS Under Secretary for the National Protections and Programs Directorate Suzanne Spaulding. Photo: DHS

Ukraine has attributed the attack to hackers based in Russia.

Spaulding said the attack was on the industrial control systems used to run the facilities and these systems “are not just relevant for the electric sector but for every sector across our economy that depends on industrial control systems. And we have been trying to get the word out on that.”

The Ukrainian facilities were operating six hours after being shutdown through “mechanical redundancy, which they are still relying upon today,” Spaulding said.

Spaulding lauded the financial services sector and electricity subsector in the United States for taking cyber security seriously, but said others are not doing as much.

Two attacks in particular in the U.S. got the attention of CEOs here, Spaulding said. Without naming Target [TGT], Spaulding pointed to a major data breach at a retailer that “ostensibly” led to the firing of its CEO. Target disclosed the attack in the late fall of 2013.

The other attack she mentioned was the hack of Sony Corp.’s [ADR] U.S. based entertainment business, which resulted in the theft of movies, the destruction of computers, and the theft and release of email traffic. While Spaulding said that what got her attention was the destructive nature of the Sony hack, “It was really the salacious emails of particular individuals in the C-suite” that got wider notice. “And I think that really got CEO’s attention,” she said.

In February 2014 the Obama administration released a Cybersecurity Framework of best practices and standards that could be voluntarily adopted by businesses and organizations looking for ways to boost their cyber security postures. Spaulding said that adoption of the framework is getting “some traction” in the private sector.

However, Spaulding said that organization’s need to put more focus on how to do risk management around their cyber posture. She said the focus typically is on “threat and vulnerability and its so overwhelming that we don’t get to consequence.”

The potential impacts to mission effectiveness get “short shrift,” Spaulding said. “We have to start with consequences and this is the message I bring to CEOs. You have to call in not your IT folks when you want to think about what to do about cyber security, call in your program people.”

It comes down to disruptions that would seriously impact business operations and functions and then “you look at how could we mitigate that,” Spaulding said. “I often tell my folks and CEOs that the most cost effective investment to address a substantial cyber risk might be putting in a hand crank.”