Attacks on critical national infrastructure (CNI) such as power, water, healthcare and financial industries are nothing new, but they are growing in number and sophistication. The first high-profile and significant attack on CNI was Stuxnet, the 2010 cyber-assault targeting an Iranian nuclear plant’s centrifuges.
Believed to have been perpetrated by Israel and the US, Stuxnet targeted the supervisory control and data acquisition (SCADA) systems that power CNI, setting back Iran’s nuclear program for years. Since then, other groups have modified the virus to target water treatment plants, power plants and gas lines.
CNI cyber-attacks continue to evolve, often taking advantage of ransomware to ravage organizations’ systems. In February this year, hackers attempted to poison a Florida town’s water supply after gaining access to a water plant’s control systems through remote access software TeamViewer.
Last year, EDP Renewables North America confirmed a Ragnar Locker ransomware attack on its parent corporation, the Portuguese multinational energy giant Energias de Portugal. Also last year, REvil ransomware operators successfully targeted Spanish state-owned railway operator Administrador de Infraestructuras Ferroviarias.
The potentially devastating results of an attack on CNI have already been seen. Take the example of the now infamous WannaCry crypto-worm that hit the UK’s NHS in 2017, striking down medical devices such as MRI scanners and resulting in 19,000 cancelled appointments.
Meanwhile, in 2020, a patient – who later died – had their treatment delayed following a ransomware attack that crippled a hospital in Düsseldorf, Germany.
So what are the threats targeting CNI today and how can organizations operating in these sectors protect themselves, now and in the future?
Threat Actors Targeting CNI
Over the last few years, the UK and US governments have repeatedly warned that adversaries such as Russia are targeting CNI as part of hybrid warfare aims. As well as Russia, China, Iran and North Korea are thought to be a threat to the West’s CNI too.
Among the threat actors targeting CNI, Russia is particularly active in the US through groups such as Talonite – which uses the LookBack RAT to attack electricity providers – and Kamacite, which targets energy companies across North America and Europe. Meanwhile, Vanadinite conducts operations against the manufacturing and transportation sectors in APAC, North America and Europe, says Ian Thornton-Trump, CISO at Cyjax.
Another Russia-linked group, Energetic Bear, uses chained vulnerabilities to target US critical infrastructure and election organizations’ networks. At the same time, GRU-linked Fancy Bear has long been targeting the US government and energy sector.
A newer threat to the West’s CNI is Xenotime, known for the Triton cyber-attack on an oil and gas facility in Saudi Arabia in 2017. The threat actor has now shifted to target electric utilities in North America, Europe and APAC, says Thornton-Trump. “It has compromised several industrial control system (ICS) vendors and manufacturers, using phishing attacks and posing as organizations at different stages of the supply chain.”
Adversaries target CNI to achieve a variety of aims. Beyond looking to cause disruption, state-backed actors in particular target government, chemicals, nuclear and defense operators for espionage purposes, says Kristian Alsing, resources security lead at Accenture UK.
At the same time, he says: “As the attack surface grows, organized crime groups have broadened their focus into new industries, and ransomware has become a greater threat.”
“As the attack surface grows, organized crime groups have broadened their focus into new industries, and ransomware has become a greater threat”
Ransomware gangs tend to focus on the sectors where they deem the best payout lies, adds Alsing. This has led the most prominent groups to target a number of CNI industries, he says, citing the example of the Netwalker gang which initially focused on utilities and transportation, before moving on to healthcare and government services.
SCADA-Based Systems
One of the major issues for industries such as gas and electricity is the vulnerability of the SCADA-based systems that power CNI, which were never meant to be connected to the internet.
IT and operational technology (OT) convergence and connectivity for OT and ICS has rapidly grown over the past few years, says Alsing. With benefits including scalability, flexibility and increased availability, OT is now being connected through the cloud as well as to corporate networks. However, this opens new attack opportunities for malicious actors.
“When SCADA applications move away from segregated to connected networks, vulnerabilities can be discovered and exploited by an attacker more easily,” Alsing says.
This sees legacy technology solutions that were once hidden now open to discovery, he explains. Adding to this: “Many cloud vendors offer software to enable SCADA monitoring information from anywhere, creating yet another entry point an attacker can exploit.”
Another big challenge is securing CNI centers around the lifetime of infrastructure components, says Gemma Moore, director at Cyberis. “When you procure a solution to a CNI problem, you’re often looking at something with a lifetime of 20 years. Inevitably, it means the state-of-the-art technology you procure for operating CNI components today may well be out-of-date and obsolete in five years’ time – and yet still only be at the start of its useful lifetime.”
Making things worse, updating CNI components is difficult and expensive, adds Moore. “After a certain period of operation, updating might even be impossible because the patches don’t exist anymore.”
Therefore, when securing the systems powering CNI, Moore says organizations need to build layers of defense around them. For example: “Different network layers, segregation of management interfaces, limitation of privileges and making sure they are as minimally exposed as possible.”
Increasingly aware of the damage that can be caused by attacks on CNI, governments across the world are implementing regulation such as the EU’s NIS Directive and resulting UK NIS Regulations. These are helpful partly because they introduce higher fines for non-compliance, says Scott Nicholson, co-CEO of Bridewell Consulting.
He explains the initiatives are “driving significant improvements” in governance processes, identification and management of cyber-risks and technical cyber-defense capabilities.
Thornton-Trump agrees, and he thinks the EU and UK are “ahead of the game” in that regard. This is because regulators are pushing new, sustainable energy projects and a “closer observation and engagement of national government investment,” he says.
“The newer the energy project, the more likely the architecture and cybersecurity is robust and of a high standard,” he explains.
In addition, the NIS Directive is mandatory, says Thornton-Trump. In contrast, although there is movement towards some mandatory controls, compliance with the US NIST’s recommendations remains voluntary.
Protecting CNI
It is certainly helping to lay the groundwork, but regulation can only go so far. Organizations operating CNI need to get the basics right. A lack of foundational security hygiene is still a critical issue, says Bharat Mistry, technical director UK and Ireland at Trend Micro.
With this in mind, he advises avoiding default configurations, as well as air gapping IT and OT environments. In addition: “Organizations should apply relevant security patches, perform vulnerability assessments, implement security features provided by vendors and control the use of portable devices within the SCADA environment.”
“Organizations should apply relevant security patches, perform vulnerability assessments, implement security features provided by vendors and control the use of portable devices within the SCADA environment"
Architecture is the “number one problem,” followed by a lack of security skill sets, Thornton-Trump says. In order to secure CNI, he agrees proper segmentation between IT and OT environments is key, citing the example of the Florida water plant hack: “Something like TeamViewer – an internet-based remote access solution – should never have been deployed on a computer with direct access to OT controls. It should have been inaccessible to the internet.”
Thornton-Trump emphasizes that IT and internet and OT-based systems should always be separated by an air gap or technology that limits communication. “Things are getting better as technology is modernized, and there are SCADA firewalls which are effective in containing malware from moving across the IT/OT gap, but they are expensive and can be complex to install.”
Ideally, he says, the best strategy is, “if you can’t protect it, don’t connect it to the internet,” but concedes that this may not be an option for many organizations.
With this in mind, Thornton-Trump advises the use of data diodes – a cybersecurity solution that can be placed between two networks, ensuring information can only travel in one direction.
Organizations need to consider additional layers of security in order to protect CNI from external and internal threats, argues Javvad Malik, security awareness advocate at KnowBe4. “While changing CNI itself isn’t an easy task, external controls should be increased to prevent anyone from being able to remotely access these systems.
“This includes locking down access for administrators working remotely, using multi-factor authentication and segregation of duties.”
In addition, says Malik, CNI organizations need robust monitoring and threat detection controls that can alert to any unauthorized access attempts and changes.
An effective CNI cyber-strategy should also include a robust security architecture and a threat assessment to identify actors and vectors of attack. This will ensure new techniques can be detected, responded to and protected against effectively, says Nicholson. “It should be conducted with business stakeholders and systems engineers, who often have the best knowledge of environments.”
Meanwhile, CNI organizations should review network segmentation alongside additional security controls to check these are helping to reduce cyber-risk, Nicholson says. “Sometimes organizations can open up their networks to add new security capabilities but in doing so, introduce more risk. Implementing additional technical controls by default is not the answer.”
The CNI threat is broad, spanning multiple sectors, with attacks perpetrated by a vast range of threat actors. It is vital that organization’s involved in CNI, including the supply chain, are aware of. and prepared for, a potential cyber-attack.
Yet, as Alsing warns, it’s important to remember basic security measures such as training employees. “Critical infrastructure operators are just as vulnerable to employee threats as any other organization. A basic error such as clicking on a link in a phishing email can have critical and even life-threatening consequences.”