This week 50 million people in Argentina and Uruguay woke up to no electricity. Overnight there had been a massive outage across the grid. Thoughts of a massive cyber-attack was the first thing that popped into many other folks’ heads. We still do not know the root cause of this major critical infrastructure failure. It may, or may not, be a cyber-attack. However, cyber threats to our critical infrastructures are real.
Our critical infrastructures (CI), including energy, water, finance, and digital communications, are the bedrock of modern society. If any of them go down, we have serious issues. In this article, we will take a look at some examples of how and where cyber-attacks have been successfully used against our CIs and how we can help avoid them.
How big of a problem are critical infrastructure cybersecurity attacks?
Cybersecurity attacks on critical infrastructures come in from a number of sources. State-sponsored hackers have very different reasons for an attack compared to the financially motivated cybercriminal. The end result is often the same for the consumer, lack of service, company downtime, financial loses, even health impacts. For the organization that is hit, the impact is massive, with lost revenue, downtime of systems that can result in serious asset damage, and reputational damage.
“The Road to Resilience” by the World Energy Council, looked at the effect of cybersecurity attacks on utility critical infrastructures. In 2015, 80% of gas providers were victims of a successful cyber-attack. Consequently, cyber threats are one of the top worries for energy leaders, especially in North America and Europe. Digital transformation of networks and increasing connectivity using connected systems like Industrial Control Systems (ICS), are seen as opening up critical infrastructures to attack. And since then, the number of connected industrial units have soared. By 2026, the market size for industrial IoT, for example, is expected to be worth around $772 billion USD.
The convergence between traditional enterprise IT with the cyber-physical world of manufacturing is creating new opportunities for cybercriminals of all types. This is opening the door to threats like spear phishing and DDoS, that normally affect IT only systems; in 2016, the second most commonly attacked industry was manufacturing.
Critical infrastructure attacks and how they play out
Cybercriminal groups such as ‘Dragonfly’ or ‘Energetic Bear’ specifically target large scale infrastructures. Dragonfly, for example, started with defence and aviation targets before moving onto energy infrastructure. A campaign, Dragonfly 2.0 was behind a massive attack on the Ukrainian electricity grid. The attack started by spear phishing emails which targeted employees and the supply chain. These emails, if successful, then sent the user to a ‘watering holes’, in other words, a malware infected website. This malware was used to infect the software used to update ICS units. The malware’s name was ‘CrashOverride’ and it was used alongside DDoS attacks against phone systems to create a massive power outage across the Ukraine National Grid in 2015/2016. This attack likely originated in Russia and was state-sponsored. The end result, 225,000 homes were without power in the first attack and countless more in several subsequent attacks that happened over several years.
Because of cyber-attacks like this, US-Cert has issued a notice informing U.S. utility providers about the threat against critical infrastructures from state-sponsored hackers.
Further examples of cyber-threats include:
A U.S. water treatment plant that experienced exposure of 2.5 million customer data records, including financial details. However, it also affected the water supply – which may have been an unwitting side-effect of the breach, as the attack affected the Internet connected SCADA and ICS units.
The Dragonfly Hacking Group, mentioned above, has also infiltrated utility facilities in the U.S., Spain, France, Italy, Germany, Turkey and Poland. The group compromised ICS units used to control sections of power plants.
The Covellite Hacking Group, from North Korea, were responsible for a number of targeted phishing attacks on U.S. grid companies as well as European industrial systems.
Insider Threat is also a serious issue in critical infrastructure security. An IBM report found that 40% of attacks against ICS units were initiated by insiders. Of those, 24% were malicious insiders; a former employee of a U.S. paper mill caused $1.1 million USD worth of damage by remotely logging into the facility and causing intentional damage.
And, accidents happen too. A report by NTT Data found that 25% of insider threats were malicious, the remaining 75% were accidental.
Where there is a will, there’s a way; there are some pragmatic ways to mitigate risk:
- Security awareness training.Social engineering is at least part of the methods used by hackers to attack critical infrastructures. Making employees aware of the tricks of phishers is the fundamental foundation stone of modern cybersecurity threat prevention.
- Use the right technologies in the right context. Industrial settings often have very unique and challenging technology environments so require specific technological solutions.
- Regulations always help.Data security legislation needs to reflect the challenges of those who manage critical infrastructures. Frameworks that reflect legislation can then help to work out the best way to manage risk in an industrial setting.
Can we stop the lights going out?
Cybersecurity isn’t an on/off switch. It is an ongoing process that requires a multi-layered approach to mitigating its impact. In terms of industrial security, manufacturing has challenges that many other industries do not. For example, some industrial manufacturing processes cannot be turned off at the flick of a switch to install security patches. This makes security awareness training even more crucial for manufacturers. Security begins with our people because the cybercriminals often start there; it was a spear phishing email that brought down the Ukrainian power grid. If we can train our staff to be highly cognizant of the threat of socially engineered cyber-attacks, then we can help prevent a major national catastrophe.
Want to learn more about making employees your strongest defence? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.