New wave of cybersecurity threats facing nation-critical infrastructure (CNI)

In 2010, researchers discovered a powerful computer worm that targeted the nation’s critical infrastructure (CNI). The worm – Stuxnet – was part of a massive cyber attack on an Iranian uranium enrichment plant, allegedly carried out by the US and Israel in a joint effort to deflect the country’s nuclear program. this. As the Stuxnet attack demonstrated, attacks on CNI can have huge consequences. In light of an increasingly uncertain geopolitical climate, this has raised alarms about the risks posed to CNI systems.

In April, US government agencies released a joint statement, saying hackers are creating custom tools targeting industrial control systems (ICS) that underpin CNI to get “full system access”. The agencies urge critical infrastructure organizations to immediately strengthen cybersecurity to protect systems from attack.

In the UK, regulations include the Cyber ​​and Infrastructure Security Regulations (NIS) and roadmaps such as the National Cyber ​​Strategy 2022 to ensure CNI is as secure as possible from an attack. network. This is especially important when the risk increases from belligerent state powers like Russia. Indeed, Ukraine says Russia has targeted its CNI since the conflict began. How significant is the risk from hackers targeting CNI, and how can organizations strengthen their defenses to prevent cyberattacks?

Bringing SCADA Online

The challenge with supervisory control and data acquisition (SCADA) systems that underlie critical infrastructure such as power stations is that they were built long before such systems were connected to the Internet. Internet.

Dr Simon Wiseman, Chief Technology Officer at Deep Secure by Forcepoint said: “While they still have security holes, exploiting them often requires obtaining physical access.”

However, CNI then started to distribute the processing across the stations connected via the network to increase their reach, said Dave Harvey, UK head of cybersecurity, FTI Consulting. know.

Connecting to the internet reduces costs and increases flexibility, but it also presents a new and risky attack side. “Once SCADA networks are no longer isolated, threat actors can gain access to systems,” says Harvey. Plus, he continued, cybersecurity was often overlooked in early SCADA generations. “They are sold as ‘turnkey’ packages, meaning the end user has no idea what’s inside and needs patching.”

The complexity of securing CNI makes it no surprise that this area has become a prime target for attacks. Since Stuxnet, many incidents related to specialized malware have appeared. In 2017, an attack using Triton malware, targeting Schneider Electric’s Triconex Safety Instrument System controller, resulted in the closure of a petrochemical company in Saudi Arabia.

Last year, a ransomware attack on the Colonial Pipeline caused problems across the US. “The Colonial Pipeline ransomware attack stands out because it is so dangerous,” said Martin Riley, manager of managed security services at Bridewell Consulting.

Attacks on Ukraine’s power grid in 2015 and 2016 also had a huge impact, resulting in nationwide blackouts. The Industroyer malware used in the 2016 attack was designed to give attackers access to active device control systems.

The tension targeted CNI break into the scene

CNI attack tools continue to be developed. Riley cites the example of a new piece of malware called Pipedream, which does not exploit any vulnerabilities to infiltrate target systems. Instead, it interacts with industrial computers called programmable logic controllers using Modbus and Codesys, two popular industry protocols.

Malware’s ability to leverage native functionality makes it difficult to detect. “It has yet to be seen in a successful attack, but has the highlights and capabilities to be used to great effect in any industrial control system environment,” warns Riley.

Another newly discovered malware is called Incontroller, which cybersecurity firm Mandiant says has “extremely rare and dangerous cyber attack capabilities”.

The threat from CNI stems from the fact that a successful attack can be devastating in the most physical sense, potentially endangering lives. Increased connectivity to operational technology (OT) and connectivity to pre-existing air environments will increase risk, Riley said.

As CNI becomes more and more digital, the risk is “significant” and “continues to grow,” agrees Harvey. “The consequences of a cyberattack on CNI are greater than in any other industry. This would create mass destruction, comparable to a weapon of mass destruction, rendering organizations inoperable.”

Many variables drive the threat, including geopolitical instability as well as technological changes such as the Internet of Things (IoT).

The increasingly digital supply chain is also a threat. Third-party connections pose additional risk by “providing a primary target entry point,” says Harvey.

Fighting CNI threats in a digital world

To build resilience, says Harvey, organizations must understand the level of risk, threats, and vulnerability. He advises companies to complete critical assessments and map dependencies within the CNI and its supply chain to “fully understand their digital ecosystem and where the risks lie.” This should include who has access to the data and what happens if the supply chain is compromised. At the same time, taking advantage of advanced threat intelligence tools and their capabilities is “priceless,” he added.

Experts recommend that CNI protection should involve the integration of IT and OT networks. “This can be done by leveraging program assessments to identify security vulnerabilities so legacy systems can first be secure,” continued Harvey. He advises anti-future operations through “fast, security-focused infrastructure.”

It’s important not to lose sight of the basics of cybersecurity, says Riley. “You need to ensure full visibility of all systems without affecting operations.”

This means understanding which sites, plants and systems need the best control. “While risk management around these issues will be years in the making, architecture and cybersecurity must be seen as transformational initiatives like automation continuing,” said Riley. customary”.

CNI companies need to make sure they are as secure as possible to avoid future threats. Will Dixon, director of academia and community at ISTARI, said Costa Rica’s recent declaration of a national emergency after government systems were held for ransom.

Indeed, data-locking ransomware is affecting all sectors, including CNI, where the consequences can be particularly dire. Going forward, SANS Institute instructor Christopher Robinson thinks there will be more instances of ransomware affecting CNI systems, “even if not directly.”

Riley agrees: “As ICS-specific malware investments continue, ransomware could take another form on CNI, where industrial control systems are held for ransom or destroyed. through attacks,” he predicted.

This is set against the backdrop of an ever-expanding attack surface, which will also elevate the threat. “Threats to the system will continue to increase as enterprises connect CNI to other networks such as the cloud, attackers develop better toolkits, and interdependencies between the enterprise network and the Internet will continue to grow. Industry and CNI increased,” said Robinson.

It has led to increased regulation around CNI and experts predict this will continue. Harvey cites the example of the EU’s NIS2 directive, which aims to strengthen cybersecurity requirements, address supply chain threats and provide accountability for non-compliance. “This will likely lead to improved reporting and information sharing, just like the financial services sector.”