A few days after it was revealed that blackouts in Brazil in 2005 and 2007 may have been caused by cyber attacks, Brazil experienced the worst power outage in over a decade, leaving more than half of the country in the dark. In a scene that appeared to be out of a science-fiction film: subway trains came to a halt, elevators stopped, traffic lights went out, and the Itaipu dam, the world’s second-largest hydroelectric power producer, was completely shut down. The Brazilian government was quick to deny that the blackouts were caused by cyber attacks, blaming the outages on the weather. However, Brazil’s National Space Research Institute quickly reputed this claim with evidence that suggested the weather during the outage was “not capable of producing” this kind disruption. Regardless of the cause, the economic damage and security risk of future blackouts raise doubts about the security of Brazil’s critical energy infrastructure as the country is preparing to host the 2014 World Cup and the 2016 Olympic Games

power_outage_brazilThe blackouts, which affected over 60 million people, came just two days after CBS, a popular American news channel, reported that cyber attacks caused blackouts in Espirito Santo State in 2007 and Rio de Janeiro in January 2005. The program “60 Minutes,” mentioned that: “Several prominent intelligence sources confirmed the cyber attacks [were] in Brazil,” but did not mention “who did it or what the motive was.” The first public mention of these cyber attacks appears to be by Tom Donahue, a top CIA official at a SANS security conference in 2007. He revealed that hackers “Caused a power outage affecting multiple cities,” without naming Brazil. President Obama echoed this warning with a similar elusiveness in a recent address on cyber security, saying “In other countries cyber attacks have plunged entire cities into darkness.”

The first public mention that Brazil’s electrical grid was targeted by hackers was made by John Grines, U.S. Assistant Secretary of Defense, at a conference in Paris in June 2007: “Not long ago, there was an attack to the power system in Brazil [to their] SCADA network, which caused major disruptions.” Then, again, a few days before the recent blackouts by Richard Clarke, former special adviser to President George W. Bush on cybersecurity and chairman of the Good Harbor security consulting firm. “Given the degree of seriousness that the Obama administration is applying to cybersecurity and the smart grid, we can look forward to the kind of things happening here that happened to Brazil, where hackers successfully brought down the power,” Clarke said in an interview with Wired magazine.

“The government might have denied that these blackouts were attributed to a cyber attack because they didn’t know or didn’t want others to know that their electric grid was vulnerable to such attacks” explained, John Bumgarner, Research Director for Security Technology for the U.S. Cyber Consequences Unit (US-CCU). “Most electric grids are so interconnected to the internet that an attacker with the right expertise can easily penetrate these networks from anywhere. Once an attacker has breached the simplistic security measures that commonly protect these critical networks they can than enter a few simple commands, which could physical destroy a multiple-million dollar component (e.g. generator), thus plunging cities into darkness and chaos for weeks or even months. Many of these critical components are produced using just-in-time manufacturing processes, which means an order submitted today will be delivered in approximately 18 months or longer.”

Unlike a physical crime, it’s very hard to find a smoking gun in a cyber crime. For that reason it’s very plausible that government regulators were not trying to cover up that the blackouts in Brazil were caused by cyber attacks. Maybe they didn’t know. Admist contradictory government reports, Brazilian President Lula demanded an internal investigation. Regardless of what they find, cyber crime presents a major threat to Brazil and other countries where critical infrastructures (health system, defense, emergency response, banking, telecom, etc.) rely on the grid to power its operations and control systems, which are increasingly connected to the internet, and therefore vulnerable to a cyber attack.

Brazil is home to more cyber-criminals than any other nation and Portuguese is becoming increasingly popular in the hacker underworld. In fact, of the top 50 website defacement groups about 30% are Brazilian, according to a report released by Safemode.org. The world financial crisis has exacerbated this problem and there is a risk that layoffs among Brazil’s large highly skilled IT workforce will make things worse. Certainly, the large divide between social economic classes in Brazil has contributed to its large network of organized crime syndicates.

Cyberspace has evolved into an ungoverned territory that is marked by anonymity and ease of carrying out a lucrative cyber crimes. This has attracted a diverse group of malicious characters, from spies to extremist groups. Brazil’s high rate of internet connectivity and lack of investment in securing and maintaining their critical infrastructure make it a prime target for malicious attacks in cyber space. Despite this threat, there are very few laws against hacking in Brazil. This puts the burden of proof on prosecutors to prove there was fraud involved, which is a crime in Brazil. There are very few incidents of hackers being caught and prosecuted in Brazil.

In June 2008, hackers broke into a government Web site in Brazil. Over 3,000 employees lost access to the system for over 24 hours, valuable data was compromised and the hacker demanded $350 million dollars ransom. The money was not paid and there was a backup of the information, but it took over a week to crack the code and regain control from the hacker. In recent years, U.S. software company Microsoft and military computers have also been targets of high profile Brazilian hacking groups, such as Prime Suspectz and BHS.

To prevent future threats targeting Brazil’s critical infrastructure, especially its electrical grid, it must quickly adapt its defenses to cyberspace and pass legislation to go after hackers. Security must be part of the design and operational criteria of its critical infrastructure; especially the electrical grid. These assets must be continually monitored and tested for cyber and physical threats. In addition, significant investment needs to be made towards transmission upgrades and load management of its grid. Until these improvements are made Brazil’s electrical grid will continue to operate at an abysmal state of disrepair fraught with operational inefficiencies; physical and cyber vulnerabilities that could potentially cripple Brazil’s grid and economy along with it.