Cyber-attacks are becoming not only more advanced but more frequent, with utilities, financial institutions, healthcare facilities, universities, and government agencies all now being impacted. Whether targeted by criminals of state-sponsored actors, active cybersecurity is now a critical issue.
A major long-term attack on the power grid could, for example, be catastrophic, so an attack that damages or disrupts critical infrastructure needs to be addressed immediately.
As is always the case when it comes to cybersecurity many within the industry still remain to be convinced of the threat posed or of the vulnerabilities they are able to exploit.
Of note is that attackers have increased the bandwidth and speed of their attacks and, rather than simply accessing sensitive data, a growing number are targeting operational systems in a bid to disrupt essential services.
“Critical Infrastructure has long been a significant target for criminals and state-sponsored threat actors. The origin of many ransomware attacks within the critical infrastructure industry is the sale of access to a compromised network on underground criminal forums by nation state actors,” explains Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid 7 company specialising in threat intelligence.
“While utilities have long been a significant target for state-sponsored actors, we’re now seeing the criminal threat becoming more significant,” adds Prudhomme. “They provide cyber-attackers with a variety of ways to extort money or simply cause chaos and confusion.”
Nation-state actors who may have previously targeted government agencies are now facing tougher cyber-security systems and, as a result, are seen as shifting their focus to utilities, many of which are unprepared and seen as ‘easy’ targets.
“Both nation-state and criminal actors are looking for targets that are less secure and easier to hack, and utilities are the perfect target. Many simply don’t have the budget needed to secure their systems or are simply unaware of the risks they’re running,” says Prudhomme.
However, this could be about to change. Earlier this year a ransomware attack on the US Colonial pipeline operation became a high-profile example of an attack on a utility, causing significant dislocation to the supply of fuel and led to extensive shortages.
The attack forced the company to proactively close down its operations and to freeze IT systems and a cyber-security team was called in to help.
One of the largest pipeline operators in the US this privately owned company was supplying almost half the East Coast’s fuel, moving over 100 million gallons of fuel each day.
That incident was a ransomware outbreak and linked to the DarkSide group. It’s not the first time that ransomware operators have targeted an energy pipeline operation, nor was it the first time that Darkside ransomware affiliates were involved but the scale, impact and publicity it generated were significant.
As a consequence cyber-security has risen to the top of the political agenda for the Biden administration. The attacks on Colonial Pipeline, JBS a meat processing company and the software firm Kaseya have affected fuel and food supplies and the wider US economy.
The US administration has called together Big Tech, the finance industry and infrastructure companies to better address the growing threat of cyber-attacks and Congress is now considering legislation on data breach notification laws and cyber-security insurance industry regulation.
In the case of Colonial Pipeline, it ended up paying its attackers over $4mn in cryptocurrency although after an FBI investigation, which followed a visible bitcoin ledger, half that payment was recovered.
That success demonstrated that the authorities have the ability to disrupt the financial infrastructure being used by criminal gangs while raising some interesting questions about the security of bitcoin.
State sponsored attacks
“Colonial was a significant attack,” admits Prudhomme, “but it’s not just criminals attacking utilities. There are state-sponsored threat actors who can also achieve an equally significant impact in their attacks.”
According to Prudhomme the leading state-sponsored perpetrators tend to be based in Russia and Iran, both are major oil and gas producers. Other significant actors include China and North Korea.
“Both Russia and Iran are the main source of attacks when it comes to utilities like oil and gas, water and electricity, but there are some indications that Chinese actors are now entering the game. Earlier this year a Chinese attack was identified which affected the Indian power network. It was seen as retaliation for border tensions that had arisen earlier in the year.”
The extensive targeting of utilities by the likes of Russia and Iran is due in part to the sector’s critical importance to their respective economies. “While the intent of many of these attacks is disruptive or destructive, state-sponsored Russian and Iranian actors will also be seeking competitive intelligence and intellectual property from organisations.
“Russia is the main source of concern. They were behind Ukrainian power grid outages in what many analysts saw as Russia looking to project their sphere of influence, and playing hard ball by affecting the supply of energy to Ukraine.
“There is certainly potential for these ‘actors’ to carry out similar attacks in Europe and beyond. In many cases they are carrying out reconnaissance attacks to prepare the ground for future attacks as and when the geopolitical situation calls for them to act.”
State-sponsored perpetrators are being recruited from a burgeoning pool of criminals and Prudhomme refers to different business models being deployed when it comes to criminals and their relationship with the state.
“Agencies recruit from a talent pool that’s derived from criminals. That’s not unique and different ‘business models’ are used. Russia, for example, will often use private companies to conduct hacks and they will work for the government as if they were normal contractors. If you look at North Korea, their model is primarily about raising money for the government – there’s a ‘fuzzy’ distinction between the state and criminal organisations.”
Prudhomme also distinguishes between military and civilian intelligence agencies. The former tends to be noisier compared to their civilian counterparts who are more discrete and low key.
While the ‘Big Four’ (Russia, Iran, China and North Korea) deploy different methods and techniques on a global scale, many other countries are developing their own capabilities.
“These tend to be directed internally, rather than against other countries,” says Prudhomme. “It’s about domestic forms of cyber espionage and targets domestic security threats, dissidents, human rights activists etc.”
Sensitive OT environments
A recurring theme in attacks on utilities is the ability of attackers to move laterally from IT networks into the more sensitive OT environments which contain industrial control systems (ICS) and supervisory controls, as well as data acquisition (SCADA) systems. These attacks can be used to disrupt operations or cause physical damage.
“With these types of attacks reconnaissance needs to be carried out. Much of the technology utilities deploy has evolved to address specific challenges and so, in many cases, will have a unique set up. That means that attackers will have to figure out where things are and how they work,” explains Prudhomme. “It tends to be labour intensive work and they will spend a lot of time getting to understand how a network works before seeking to compromise it.”
According to Prudhomme the first obstacle to such attacks is the ability to traverse the “demilitarized zones” (DMZs) that many organisations use to segment their IT and OT networks from each other. However, even attackers that find that they are unable to move laterally into more sensitive OT environments can cause significant problems, just look at the Colonial Pipeline attack.
The second and more significant obstacle is the variety and unfamiliarity of the OT environments, and the ICS and SCADA systems within them. “Attackers may not have the knowledge to effectively manipulate ICS and SCADA systems. Even if they do have the required expertise, many OT environments are highly customised to suit the specific needs of a given organisation, but again with extensive reconnaissance before an attack it’s quite possible for a hacker to get in and start to manipulate them,” Prudhomme warns.
In the case of the Colonial attack while it did not reportedly affect the pipeline’s OT itself, it did impact the company’s billing system which forced it to suspend supply operations because it couldn’t bill customers.
Speaking to the US Senate after the attack, the company’s CEO Joseph Blount said that the decision to shut down the pipeline was pre-emptive under the assumption that its OT may have been compromised.
As Prudhomme points out this incident illustrated that an IT compromise of an organisation that also has OT can have a disruptive impact on its industrial operations, even if the attackers fail to move laterally into the more sensitive OT.
Attacks on utilities are not only disruptive but through the damage to critical infrastructure can cause networks to spend months and billions of pounds undertaking critical repairs or meeting ransom demands.
The risks are made worse as many employees often have little or no training when it comes to cybersecurity and the ways in which it is possible to prevent an attack i.e. routine cyber hygiene practices; creating strong passwords and using email encryption.
The need for a comprehensive cybersecurity strategy is either ignored or not understood.
“Dormant passwords, viable but inactive VPN accounts that no one is using, remote working – all of these are creating vulnerabilities and will broaden the attack surface available to a cyber-attacker,” warns Prudhomme. “They are unnecessary – if you don’t use it, deactivate it!”
Another critical vulnerability impacting utilities is the Internet of Things (IoT) and the growing digitalisation of processes. While they help in the collection of data, provide insights, and improve efficiency and safety they also provide a much larger attack surface and for organisations with limited resources or security experience the need to protect possibly thousands of endpoints can mean they are left extremely vulnerable.
Critical steps
Utilities are being urged to build robust DMZs between their IT and OT environments so as to prevent attackers from moving laterally from IT networks into OT environments.
“It’s critical that companies in this space have backup options or alternatives in place to enable continued operations,” says Prudhomme. But while securing ICS and SCADA systems is critical many incidents tend to begin from conventional attacks on IT networks, whether phishing emails with malicious links or attachments.
“This isn’t new, but companies do need to protect themselves against email attacks, which are one of the most common attack vectors across the board. This can involve adding spam filters and other email security solutions that prevent malicious email messages from reaching users; undertaking better user education; introducing rules that block the execution of macros in Microsoft Office attachments to email messages from external senders; providing sandbox analysis or other scrutiny of email attachments, particularly those from external senders or in suspicious file formats that attackers frequently use,” explains Prudhomme. “The IT networks of utilities also house data that criminals, hacktivists, and governments seek for a variety of purposes - whether that’s identity theft, or other forms of fraud.”
According to Prudhomme organisations should identify key assets within their networks and supplement them with extra layers of defence, such as network segmentation, encryption, or additional authentication requirements.
Critically, utilities need to better understand the motivations, targeting, tactics, and objectives of their adversaries.