Brazil’s Critical Infrastructure Faces a Growing Risk of Cyberattacks



by Robert Muggah & Nathan Thompson

Council on Foreign Relations
April 10, 2018

For almost twenty-four hours, nearly a quarter-million people had no access to power. The sounds of wailing sirens reverberated across the blacked-out city. Investigators discovered that thirty electrical substations were disabled. Engineers sent to fix them found that the power outage had erased critical computer files. Days later, digital forensics specialists traced the blackout to a malware called Killdisk, which had infected unprotected supervisory control and data acquisition (SCADA) devices. The location for this attack was Kiev, but it could just as easily have been New York, Tokyo, or Sao Paulo.  

Most of the world's critical infrastructure—nuclear plants, electrical transmission systems, water treatment plants, etc.—is managed by SCADA systems. SCADA platforms may keep operations running, but the software and hardware that makes them up are also vulnerable to malicious cyber activity. For years, security experts have called for better protections. Some government agencies wisely took note and designed standards and guidelines for industrial control systems to prevent SCADA systems from being compromised. But many industry representatives are in denial about just how vulnerable their networks and systems are. Their negligence is dangerous.

Attacks on SCADA systems are growing more common. Dell detected over 160,000 attacks globally in 2014, double the number from the previous year. In another study by the SANS Institute, 20 percent of SCADA system administrators surveyed reported that their networks had at some stage been infected or infiltrated. Many others simply weren't sure. 

Countries often have hundreds—if not thousands—of industrial control system components available and visible on the internet. Governments and businesses that do not protect their SCADA systems face catastrophic risks. In 2009, malware purportedly developed by the United States and Israel called Stuxnet targeted the SCADA systems of an Iranian uranium enrichment facility, disabling centrifuges. In 2003, the Blaster virus likely played a role in a massive blackout that affected the United States, which cost its economy between $7 and 10 billion.  

Hackers, such as Gheorge Razvan Eugen (aka GhostShell), believe that it is not too difficult to cause enormous disruption. This is because the internet protocol (IP) addresses for many SCADA devices are easily found online. Although some devices are password protected, others are not. At least 250 Brazilian devices across multiple critical sectors were visible within seconds by using a publicly available search engine called Shodan.

According to Razvan, the threats are real: "Like the internet, SCADA was never created with security in mind," he said. "SCADA servers in Brazil and just about everywhere else are exposed to the most basic attacks. Connecting to a programmable logic controller takes one simple step: use the client interface to breach the targeted protocol.”

The Brazilian government has taken some tentative steps to minimize the risk to the country's SCADA system. In 20082009 and 2014, the government set-up a series of critical infrastructure technical groups to review the issue, involving Petrobras, the central bank, and the ministries of defense, external affairs, health, science and technology, and the federal government's IT department, among others. The Department of Information and Communications Security has also worked to educate public and private sector partners. 

Brazil needs to step-up its efforts. In 2015, Brazil’s National Telecommunications Agency (Anatel) released official guidelines for the inspection of critical infrastructure, and the agency is now reviewing cyber regulations for the telecom sector. While a move in the right direction, Anatel has limited resources and capacity and was rebuked by Brazil’s Federal Accountability Office for not adequately carrying out its oversight duties. Likewise, the country’s national electricity agency (Aneel) also held consultations on cybersecurity in 2016 to set out best practices.

Brazil needs more than guidelines or best practices. It needs action. Like many countries, Brazil has a national Computer Emergency Response Team ( made up of specialists who are responsible for registering and responding to digital threats. We recently notified of the exposed SCADA IPs in Brazil and provided evidence of a wide range of vulnerabilities. is also part of Brazil’s Internet Steering Committee (, a governing body that promulgates rules for the management of Brazil’s internet backbone. At a minimum, both and can play a pivotal role in developing standards and monitoring their implementation to better protect Brazil’s SCADA systems.

The only way Brazil and other countries can confidently protect their critical infrastructure is if the main players start working together. No one regulator or response team can protect SCADA systems on their own. Multistakeholder governance models are required, involving federal authorities, public utilities, private companies and the telecom providers deploying SCADA devices. This collaboration is critical to improving incident reporting and patching security holes. Fortunately, several private companies in Brazil have established Computer Security Incident Response Teams (CSIRTs), and incentives and support are required to expand these measures. At the very least, the Brazilian government needs to set out some basic ground-rules to prevent SCADA network exposure. The costs of inaction could not be higher.

Robert Muggah is co-founder and research director of the Igarapé Institute, as well as co-founder of the SecDev Group. Nathan B. Thompson is a researcher at the Igarapé Institute.

Image credit: Laszlo Balogh/Reuters

Be the first to comment

Please check your e-mail for a link to activate your account.

No events are scheduled at this time.


Global Times: BRICS summit displays the potential of a new future

by Editorial Staff (feat. Swaran Singh), WSFA 12, June 24, 2022

Oil's Dive Won't Bring Any Immediate Relief on Inflation

by Alex Longley, Elizabeth low, and Barbara Powell (feat. Amrita Sen), BNNBloomberg, June 24, 2022

China To Tout Its Governance Model At BRICS Summit

by Liam Gibson (feat. Stephen Nagy), The Asean Post, June 23, 2022

Soutien aux victimes d’inconduites sexuelles dans l’armée

by Rude Dejardins (feat. Charlotte Duval-Lantoine), ICI Radio Canada, June 23, 2022

Defence: $4.9 billion for radars against Russian bombs

by Editorial Staff (feat. Rob Huebert), Archynews, June 23, 2022

The Hans Island “Peace” Agreement between Canada, Denmark, and Greenland

by Elin Hofverberg (feat. Natalie Loukavecha), Library of Congress, June 22, 2022

What the future holds for western Canadian oil producers

by Gabriel Friedman (feat. Kevin Birn), Beaumont News, June 22, 2022

At BRICS summit, China sets stage to tout its governance model

by Liam Gibson (feat. Stephen Nagy), Aljazeera, June 22, 2022

Crude oil price: there are no changes to the fundamentals

by Faith Maina (feat. Amrita Sen), Invezz, June 22, 2022

Few details as Liberals promise billions to upgrade North American defences

by Lee Berthiaume (feat. Andrea Charron), National Newswatch, June 20, 2022

Defence Minister Anita Anand to make announcement on continental defence

by Steven Chase (feat. Rob Huebert), The Globe and Mail, June 19, 2022

Table pancanadienne des politiques

by Alain Gravel (feat. Jean-Christophe Boucher), ICI Radio Canada, June 18, 2022

Russia Ukraine conflict

by Gloria Macarenko (feat. Colin Robertson), CBC Radio One, June 17, 2022

New privacy Bill to introduce rules for personal data, AI use

by Shaye Ganam (feat. Tom Keenan), 680 CHED, June 17, 2022


Canadian Global Affairs Institute
Suite 1800, 150–9th Avenue SW
Calgary, Alberta, Canada T2P 3H9


Canadian Global Affairs Institute
8 York Street, 2nd Floor
Ottawa, Ontario, Canada K1N 5S6


Phone: (613) 288-2529
Email: [email protected]


Making sense of our complex world.
Déchiffrer la complexité de notre monde.


© 2002-2022 Canadian Global Affairs Institute
Charitable Registration No. 87982 7913 RR0001


Sign in with Facebook | Sign in with Twitter | Sign in with Email