Critical infrastructure cyberattack risk: from emerging concept to harsh reality
The current landscape
Cyberattacks targeting power grids and manufacturing plants in Europe over the past two years led me to believe that we would see the first major cyberattack on U.S. critical infrastructure in 2018. At the mid-year mark my prediction has already become a reality.
The recent cyberattack in Atlanta destabilized municipal operations and left software applications that control crucial city services including the court system, law enforcement, and the watershed department inoperable. In addition to the 2.6 million dollars immediately invested in emergency response to the attack, it is estimated that 9.5 million dollars will need to be added to the department’s 35-million-dollar budget to address the remaining damage. This attack is likely the worst cyberattack targeting a U.S. city to date and demonstrates how a cyberattack can easily disrupt day to day life for an entire community – yet it is just the tip of the iceberg when it comes to the impact of cyberattacks on critical infrastructure.
I am not making these predictions to send organizations, governments and citizens into a panic; instead, my aim is to spread awareness around why critical infrastructures are currently a top target for cyberattacks, what the different motives, approaches, and consequences of these attacks could look like – and solutions to mitigate these risks before my predictions become reality. This piece will explore the current critical infrastructure vulnerabilities, the different types of attacks that can exploit these vulnerabilities and best-practices for protection.
OT and IT mindset gap is appealing to attackers
Historically, “keeping the lights on” and avoiding any downtime has taken priority over security practices within critical infrastructure and industrial control networks. Furthermore, industrial control networks and critical infrastructures such as power grids are still operating on legacy systems that the management is hesitant to interfere with, whether by adding monitoring systems, patching or updating them. The OT manager’s perspective of “if it’s not broke, don’t fix it” made perfect sense until recently, but today, when the motives of malicious actors increasingly focus on causing physical damage and disrupting day-to-day lives, we see a conflict of interest between OT managers and IT/security managers, which poses a risk on critical infrastructures.
The malicious motives
Although it is still a major end-goal, in today’s complex threat landscape the driving forces behind critical infrastructure attacks have expanded and matured beyond money. Attacks can also be politically charged. For example, North Korea has been implicated in a number of major cyber-attacks over the past few years, primarily against South Korea – and has been officially identified as the instigator of the WannaCry cyberattack that crippled hospitals, banks and other companies across the globe. Today, when equipment within physical facilities such as compressors, centrifuges, electric substations and water treatment devices are all digitally controlled, attackers have direct access to take them down, causing unimaginable consequences. In the case of an attack on a water treatment facility, cyber attackers can harm both the environment and mass-poison individuals that the water from the treatment facility distributes to. Furthermore, attacking an electric grid can cause a blackout, as we’ve observed in the Black Energy attack in 2015. The United States Computer Emergency Readiness Team recently issued a report demonstrating cyber reconnaissance activity directly targeting US critical infrastructure including nuclear, water and aviation facilities, attributed to Russian malicious actors. In these attacks, malicious actors were able to use conventional IT attack vectors like phishing emails and drive-by downloads to penetrate IT networks, locate IT and OT network touchpoints, and find their way into the sensitive OT network to access critical physical devices. This highlights the risk of IT/OT network convergence. Knowing these consequences should motivate organizations to shift from considering security as an afterthought – and instead, factor it into operations despite legacy systems and practices.
Reversing the risk
Acknowledging recent critical infrastructure attacks – and their broader implications for the future – has finally spurred the overdue sense of urgency for companies and governments to secure their critical infrastructures and industrial control systems. Luckily, securing infrastructures is much less of an undertaking than expected – and by no means needs to disrupt or halt power grid, manufacturing plant and industrial control activity. Critical infrastructure security centers around consolidating IT and OT.
Minimize IT/OT touchpoints
While IT and OT convergence will not be eliminated, management needs to minimize IT/OT touchpoints – this will reduce the risk of an attacker executing a “quick win.” More connections mean OT networks are more accessible from the outside, and from the connected devices linked to the outside OT network. Take for example a phishing email that is opened by an employee connected to the organizational IT network. This email is the gateway into the OT network. Organizations should introduce network monitoring solutions to map their IT and OT network, highlight risky touchpoints and eliminate unnecessary connections. They can also leverage unidirectional security gateways to restrict information flow from IT to OT networks. Having said that – we should never assume that we can airgap the OT network. IT/OT touchpoints will always exist and we should implement OT security measures such as anomaly detection to detect potential threats that were able to penetrate into the OT network. These systems have very low impact on the OT network and can serve both the interest of the IT manager and the OT manager as they not only increase security, but also support continuity – with minimal impact.
Maximize IT/OT management connections
Communication between IT and OT departments is crucial to gaining visibility into where the technological connections (and vulnerabilities) exist within the overarching network and infrastructure. In some cases, OT devices such as PLCs have not been patched for years – and OT cannot clue IT into what software devices are running where within the network – and whether or not they are patched. Once a holistic view of the network is gained – IT and OT can work together to implement a “quick fix” on vulnerable areas.
Once OT managers have visibility into their network, they can identify and prioritize vulnerabilities such as outdated device software and increase their OT networks’ resilience to cyberattacks. What’s important to keep in mind is that implementing these processes does not call for halting, or even interrupting operations – it only entails tools that passively monitor and uncover connections and assets. Therefore, after considering this approach and impact, it’s a no brainer that connecting the IT/OT gap and re-writing historical practices together is in the best interest of governments, organizations and civilians.
My prediction that we would see the first major cyberattack on U.S. critical infrastructure in 2018 already came true. Before the other attack scenarios I outlined become an alarming reality, IT and OT management need to come together at the pace that IT/OT/IoT networks are converging. They must establish and execute simple, straightforward, and achievable security precautions and policies to mitigate risk.
This article was written by Adi Dar, an experienced cybersecurity leader and chief executive who has repeatedly lead the development and launch of successful products and services in highly competitive markets.