Recent cyber-attacks on critical infrastructure, such as the ransomware attack on the US Colonial Pipeline which forced the largest fuel pipeline in the country to shut down its operations for several days, should serve as a warning of vulnerabilities faced by all nations. As cybercriminals’ hits against power grid operators, water treatment plants and other essential assets are becoming more frequent with potentially severe consequences for the functioning of society and the economy, how can asset managers and owners reduce risk and prevent this in the future?
The electrical grid and other critical infrastructure such as water and gas are there at the flick of a switch…until they are not. A key difference to an attack on critical infrastructure vs a data hack is the secondary impact and risk of direct loss of life. If a power grid goes down, traffic and streetlights go out potentially increasing the risk of vehicle accidents for instance, and hospitals and food supply systems have to rely on backup generators (with regular fuel deliveries) or shut down.
Loss of essentials
A growing number of threat groups have been attacking the security systems of utilities and other essential industries around the world. In May 2021 the US had to enable emergency legislation to allow more transport of fuel via roads after a ransomware attack hit the Colonial Pipeline; the largest fuel pipeline in the US. The attack came at a particularly critical time as cars were being used once more as the lockdown from Covid-19 started to ease and people started returning to the workplace. In addition to encrypting data on devices and servers the attackers, a criminal gang known as DarkSide, also took around 100GB of data from the network. Should the ransom not be paid the stolen data was threatened to be leaked onto the internet.
The vulnerability of critical infrastructure to cyber-attacks like this one has become a big concern as essential assets are more complex and interconnected than ever. Due to their vital role, utilities cannot be “offline” for prolonged periods in case of a successful attack and are more likely to pay ransom. It makes the energy sector one of the main targets with potential devastating chain reaction. Asset managers and owners must take a structured approach to reduce cyber-related risks and protect their assets, operations, and customers.
Keeping the lights on
A key issue when it comes to managing cyber security in critical national infrastructure is ensuring that any changes do not result in any downtime for end-users. This means staged and managed changes during times when usage is low, and any offline systems can be compensated by existing systems. Below are some of the key considerations for cyber security in critical infrastructure.
Update your IT infrastructure
Keeping ageing technology up to date is time consuming, which is an issue under the objective of minimizing disruption. Combined with high costs and complications with integrating older industrial technology and modern IT systems can put many owners and managers off. Prime examples are Supervisory Control and Data Acquisition (SCADA) systems, which are commonly used for monitoring and controlling tasks in energy generation facilities such as solar and wind farms, but also in transmission and distribution networks. Usually, these systems evolve over time and often pair technology from different generations. However, old software and operating systems that are no longer supported can have security issues that remain open, accessible and widely unknown with no planned patches to fix those issues going forwards.
A remote attacker in February 2021 exploited a set of vulnerabilities at a water treatment facility in the US state of Florida and increased the amount of sodium hydroxide (lye) added to the water. It is reported that the water plant was running outdated Windows 7 machines, without a firewall and relied on a shared password to log in to team-viewer remote access software. Staff on-site at the time noticed the increase and promptly took remedial action to reverse the effects. Human awareness saved a potentially disastrous outcome; however, the situation could have been avoided if basic security precautions had been followed.
In another incident in 2020, Elexon, which handles around £1.7 billion in energy payments in the UK every year, was the target of a cyber-attack potentially due to a known vulnerability in an unpatched VPN. The attack left the company unable to access certain systems and devices, however, the payment system was luckily unaffected.
Raise and test staff awareness
Reliable authentication methods: large amounts of critical infrastructure rely on remote management, such as solar and wind farms but also minimal manpower in remote facilities. Ensuring that passwords are complex and not re-used across systems is key, followed up with Multifactor authentication, which will help minimize or identify if a password is breached.
Regular user training: phishing remains the primary method by which attackers gain access to systems, sometimes weeks and months in advance of the main attack. Regular user training and simulated phishing strengthen the weakest component in any cyber defense – the user. Educating staff to look at the domain from which emails originate, as well as having a suspicious mindset when it comes to emails and links can save significant problems later.
From 2015 onwards Ukraine has suffered a number of attacks on its national grid, the first attack was wide-ranging and complex and affected over 200,000 people for between one and six hours. It is believed that a spear-phishing email was the original attack vector that was then used to pivot and attack onto further systems. These attacks included seizing control of industrial systems and turning them off, disabling IT infrastructure such as uninterruptable power supplies, destruction of files and finally a denial of service attack on the customer call center.
Reinforce on-site security
Cybercriminals are often thought of as hackers in black hoodies sitting at home in front of a computer. However, when it comes to critical infrastructure, physical access is often overlooked. In sites with low levels of on-site staffing, what could hackers access by physically visiting a site? How good is the asset’s security or is it reliant on locks and fences? When on-site is there Wi-Fi which could be hacked simply by sitting outside, or are there accessible network ports, computers and server rooms? Cyber security of critical infrastructure needs to consider what damage could be done when present on-site as well as remotely.
Threats are here to stay
As the infrastructure that enables our life becomes more connected, the need for critical infrastructure to treat cyber security as a core foundation of business is undeniable. With the number of cyber threats continue to rise, regular penetration testing and simulated exercises, such as assumed compromise and internal threat, can help asset managers and owners mitigate risks. A Strong cyber framework is key to reducing the severity or likelihood of an attack, to help identify when utilities are under attack and allow them to recover quickly following an attack.