Cyberattacks against critical infrastructure and the utilities market are growing in sophistication and frequency. David Stroud, GM of Europe/APAC, NanoLock Security, discusses why decision-makers in critical infrastructure need to invest in cybersecurity for the OT, now.
Cyberattacks against critical infrastructure and the utilities market are growing in sophistication and frequency. From Colonial Pipeline to water treatment and energy plants across the world, the reality is that there is no way to know where the next attack will come from, and often, critical infrastructure have outdated IT and OT management processes that leave open crippling vulnerabilities. Attractive targets like these require a last line of defence integrated directly into OT infrastructure to protect against persistent cyberattacks. Simply shutting down OT systems because the IT has been breached is not a viable option for entities responsible for providing basic needs like water and power to entire communities and regions.
Critical infrastructure attacks: From cautionary tales to imminent threats
The Colonial Pipeline breach was a wakeup call regarding the severity of impact that ransomware attacks can levy on the energy industry. The breach impacted not only the business operations of Colonial Pipeline, but had a trickle-down impact on regional economies, creating widespread shortages, price hikes and consumer panic. But not every breach is as high-profile as Colonial Pipeline. In fact, utilities, water treatment and power plants all over the world have faced increasing cybersecurity threats for years.
In May 2020, UK-based Elexon, responsible for overseeing payments between UK power station operators and companies that provide electricity supply to consumers and businesses, was the victim of a ransomware attack that stole important internal data. The vulnerability resulted from the organisation running an unpatched version of a VPN from a supply chain software vendor who itself has recently been found to be the victim of a massive persistent ransomware attack.
It’s not just ransomware attacks for monetary gain that pose a threat to utilities. Bad actors, whether insiders or outsiders, looking to cause economic disruption or stir up societal panic are also a threat.
In 2014, a phishing attack resulted in major damage to a German steel mill where credentials were stolen to gain access to the corporate IT network. After compromising the main network, the attack targeted the mill’s control systems. This resulted in failures that caused major damage to the mill’s blast furnaces. In 2018, it was announced that the US electric grid, among other critical infrastructures, had been targeted by Russian state-backed hackers as far back as 2016.
The rollout of more connected devices such as smart meters presents yet another attack opportunity for bad actors. Utilities and energy companies are now converging legacy OT devices onto IT networks, thereby opening them up as targets of the world’s most advanced and well-resourced hackers. In August 2020, an Indian energy company which had just launched an initiative to install 240M smart meters across the country, faced a sabotage of its smart meters, which left 160,000 homes without power. The breach was the largest of its kind in India’s history and forced the project to pause its massive rollout.
These hacks indicate that while Advanced Persistent Attacks (APTs) on utilities and critical infrastructure are not a novel phenomenon, they are increasing at a disturbingly fast pace.
The rise of APT attacks for critical infrastructure
Though not a new category of attack, APTs like ransomware, DDoS and others, are rising in popularity as more legacy OT devices become connected. These attacks begin by entering vulnerable devices like a sensor or meter either remotely or locally. Once inside, the bad actors inject malicious code into the Flash or Non-Volatile Memory of the device in order to survive a restart or power loss, allowing an attacker to cause more damage over a longer period of time – hence the term ‘persistent’ in the name. As these devices are brought onto an IT network, actors can use their persistent presence in the device to get into the IT system itself, at which point they can manipulate data, change commands, seize control from operators, or simply lay dormant until the time is right.
APT attacks can stem from a wide range of vectors, including outsider groups like (allegedly) state-backed hacker gangs like DarkSide, compromised supply chain vendors like Pulse Connect Secure, or from insider threats like disgruntled or negligent employees. These insider attacks are typically harder to detect and prevent than external attacks. A Ponemon Institute study published in January 2021 found that insider cybersecurity incidents have risen 47% since 2018 and the average annual cost of an insider-caused breach also increased, up 31% to US$11.5 million.
One issue that utilities run into in preventing such attacks is that both IT and OT systems have not kept pace with security requirements, firmware and software updates, which can create an easy entry point for hackers. When combined with an increasing number of both IT and OT connected devices, this creates the perfect storm for a breach.
Why utilities need Zero Trust device-level security
Given the vulnerability of legacy OT devices, the nature of APT attacks on these devices and the diverse sources these attacks have stemmed from, critical infrastructures and OT operators must ensure that each device they rollout or integrate onto their network is itself impermeable. This can only be guaranteed by introducing Zero Trust device-level security that protects connected devices like smart meters from all attack vectors through installation, implementation, maintenance and future upgrades.
One way of doing this is to introduce a solution with an embedded software gatekeeper within the device that will provide Zero Trust and passive prevention against outsider, supply chain and insider APT threats by automatically rejecting all changes unauthenticated by a trusted external server. This prevents persistency and maintains the device integrity because bad actors will not be able to inject their code into the non-volatile memory and impact the device’s functionality. This will not stop future hackers from trying to breach converged IT/OT systems, but it will at least secure the most vulnerable potential points of attack, while using limited computing power and will prevent devices from being used as attack points on other systems. Not least, it protects the investment in the assets themselves and their operational capability.
As the threats to utilities and critical infrastructure grow, it is essential for decision-makers to prioritise investment in both IT and OT security before they become victims of a devastating attack that can create far-reaching problems for their companies, customers and even the world.