As all the annual security reports show, the rate of cyber attacks on businesses and other organisations is increasing each year. A growing part of that attack spectrum includes cyber attacks on critical infrastructure Operations Technology (OT) environments such as water supply control systems, petrochemical plants, transport infrastructure control systems and all other manners of SCADA (Supervisory Control and Data Acquisition) systems.
Many of these OT environments make up part of our critical national infrastructure and would be prime targets of any malevolent nation during hostilities. In conventional warfare, an attacking force would use missiles and air power to disable command and control infrastructure to disrupt the enemy’s ability to respond. In parallel, they would select and prioritize transport infrastructure such as railways, bridges, airfields, etc. Next, the target list would include the POL (Petrochemical, Oil and Lubricants) sites to disable the enemy’s resupply capability for its aircraft, trains, ships and vehicles. Water supplies, power generation and distribution, TV, radio and other targets would also be included, depending on the overall strategic aims of the aggressor.
Watch FREE Webcast to learn about Visibility and Cybersecurity in the ICS/SCADA Realm
National Actors Preparing for Cyber Attacks on Critical Infrastructure
A quick analysis of these targets types shows a clear correlation between physical targets and cyber targets, as all of these different infrastructure elements are typically highly automated and controlled electronically through sensor systems, relays, control valves, flow controls, pumps, switches and all manner of industrial controls. Inevitably, many nations have developed cyber warfare capabilities to ensure they have the capacity to attack such targets using remote attacks that attract much lower risks for them. As a result, there are routine reconnaissance operations against potential enemy nations being carried out by the cyber warfare elements of many nation states. In recent years, we have seen attacks on power grids by nation-state threat actors against other nations and there is speculation that these were operational tests of the capabilities that could be used against other potential enemies in the future.
Attacks of this type are typically aimed at disrupting the supply but there have been attacks designed to cause permanent damage to OT systems. This further supports the conjecture that these attacks are developing to be more aggressive.
Criminal Potential of Cyber Attacks on Critical Infrastructure
If this were not enough of a problem, the success of attacks of this type has inevitably generated interest from the criminal fraternity. They have seen that significant impact across large portions of a country’s population can be achieved through these attacks. That opens the door to criminal disruption being used as a method of coercing a target to pay not to be targeted. For example, an electricity supplier could suffer significant losses in terms of share price, compensation for loss of supply and regulatory fines if it had a significant interruption to electricity supply. If an attacker can demonstrate their abilities to cause severe disruption, they may well be able to pressure the organisation to pay ‘protection money’ to be excluded from attack. Alternatively, they may use an attack to establish remote control and disrupt the actual control room by using ransomware as we have seen in previous attacks. By holding the control system to ransom and gaining control themselves, they would be able to extract significant ransom payments from victim organisations.
Often cyber attackers share code and techniques either through sharing forums or through auction and sale sites on the dark web and we can expect this trend to continue. The nation-state threat actors have much to gain from the criminalisation of these attack formats. Firstly, it helps to create more plausible deniability as investigations can easily be misdirected by the traces left pointing to criminal involvement. Secondly, as the criminal community increases its expertise in cyber attacks on critical infrastructure, it opens the possibility of contracting criminal elements to carry out attacks on behalf of nation states. Thirdly, including the criminal elements ensures a wide pool of attack developers is in action and allows a nation-state threat actor to acquire attack tools and code from the dark web to use within their reconnaissance and assaults.
OT Security Insufficient Against Cyber Attacks on Critical Infrastructure
Clearly, there are significant advantages to aggressors of all types in the OT environment and, given the current state of OT system security, where old serial style protocols that have no security built-in are used across networks they were never designed for, we should not be surprised that hackers are finding many vulnerabilities.
This all adds up to mean that nation states have a lot to gain from seeding external criminal activity around OT cyber-attacks. And, as criminal gangs make successful attacks and generate incomes, their incentive is increased and they continue to grow their capability, leading to more attacks.
All of this is happening in a world where we are growing our dependence on OT environments across a huge array of new OT control environments. Smart building, smart integrated rail systems and potentially self-driving cars within smart road systems are just a few examples of how OT control systems are reaching into every aspect of our lives. In a perfect world, these systems would be 100% isolated from any reachable networks and would be closed systems, but the reality is that there are often external links in some form. For example, there may be external links for third-party maintenance engineers and information from the OT environments is often needed to drive the commercial billing systems. In electricity generation systems, there needs to be a real-time feedback loop between the user consumption and demand as well as the ability to bill the various power distribution providers. These connections between the control environments and the commercial networks inevitably provide some opportunity for cyber-attackers to move across the networks, infiltrating as they go.
The aggregation of all of this means that there is a greater attack surface and that attack surface is visible to an increasing number of threat actors including nation-states and criminal gangs. Cyber attacks on critical infrastructure and OT systems as part of this will inexorably increase.
Watch FREE Webcast to learn about Visibility and Cybersecurity in the ICS/SCADA Realm
Tony Rowan is Lead Security Architect at Cyberbit