In May 2021 when the gasoline supplies to the East Coast of the US went down as a consequence of the Colonial Pipeline ransomware attack, nobody foresaw the mass panic that the hack would entail. Breaching the internal systems which controlled the company’s billing and supplies with the aid of a compromised password, DarkSide crippled the largest fuel pipeline in the US, leading to shortages and triggering unheard-of panic, with users resorting to carrying gasoline in flammable cans. Investigations would later show the company ‘had failed to observe cybersecurity best practices, and some of the implemented measures were incapable of protecting against the attack.’ (1)
Though not the first of its kind, the scale of the attack prompted an immediate response from the administration. President Biden was quick to sign an executive order instructing and empowering the U.S. federal government to act decisively to protect and secure its cloud-based, on-premise, and hybrid systems. CISA followed 5 months later issuing an alert regarding the cyber threats to US water and wastewater systems.
The word was out: A new warfare had begun and attacks on critical infrastructure were not to be taken lightly.
What is critical infrastructure?
Palo Alto (2) defines it as the assets, systems, and networks – physical and virtual – that are essential to the proper functioning of a society’s economy, national public health or safety, security, or any combination thereof. Critical infrastructure includes food and agriculture sectors, transportation systems (e.g., roads, railways, highways, airports), water supply (e.g., drinking water, wastewater/sewage), internet and mobile networks, public health (e.g., hospitals, ambulances), energy (oil and gas), electric utilities, financial services, telecommunications, defense, and more. In the US, this infrastructure is predominantly owned and operated by the private sector, while some are owned by federal, state, or local governments. In the past, these systems were primarily physical in nature, but with the advent of the internet and IoT devices, they are now fairly digital as well.
With so much dependence on such sectors, it is obvious that attacks on them have the potential to create wide-scale compromise of crucial systems and even loss of lives. What’s more is that such systems are often interconnected, meaning that multiple sectors can experience a devastating impact.
No sector is exempt
The earliest and most famous attacks on critical infrastructure came in 2013 when Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Coming in the wake of the 2010 Stuxnet worm that the US and Israel released on uranium centrifuges in Iran, the Bowman breach sent a clear message to the US Government that the hackers had the wherewithal to manipulate systems surrounding their critical infrastructure.
None of the sectors are exempt, as this listing of some of the major attacks (3) around the world will show.
- Dec 2015: BlackEnergy malware inflicts the world’s first major power outage caused by a cyberattack on Supervisory Control and Data Acquisition Systems (SCADA) in Ukraine leaving thousands of homes without electricity
- Feb 2016 : Hackers compromise SWIFT banking codes to successfully withdraw USD 81 million from Bangladesh Central Bank. A timely discovery prevents a further USD 20 million from being withdrawn
- Dec 2017 : Triton malware is successfully introduced in the Safety Instrumentation Systems (SIS) of a Saudi Arabian petrochemical plant with the objective of taking lives via an explosion/toxic gas leak. Believed to be state-sponsored, the danger is averted due to an accidental shutdown of the plant
- Mar 2021: Phoenix ransomware hack on CNA Financial via a browser phishing attack results in the largest-ever cyberterrorist attack on the financial and insurance Negotiated ransom of USD 40 million paid for decryption keys to restart operations
- Mar 2021: Hackers (4) demand an initial USD 40 million from Broward County School District in Florida, US, later lowering their price to USD 10 million. After the district offered to pay a smaller sum, the hackers published nearly 26,000 exfiltrated files
- May 2021: Russian-backed REvil inflicts the biggest yet ransomware attack on US operations of the JBS food chain, the world’s largest multi-meat processing company causing immense meat shortages and panic buying. A ransom of USD 11 million is paid to the hackers in bitcoin
- May 2021: DarkSide successfully brings down Colonial Pipeline oil operations on the East Coast of the US. Colonial Pipeline meets the ransom demand of USD 4.4 million
- May 2021: A malware attack on the Scripps Health facility causes it to shut down its patient portal causing high-risk patients to be diverted to nearby facilities, and compromising some 147,000 patient and medical practitioners’ personal data. Losses estimated to be in the vicinity of USD 113 million
- May 2021: DarkSide successfully encrypts German chemical distributor Brenntag’s North American division network and steals unencrypted files. A ransom of USD 4.4 million is paid in bitcoin for the encryption key and to prevent the leakage of stolen data
- August 2021: Hackers successfully infiltrate cellular network giant T-Mobile accessing the personal data of an estimated 7.8 million subscribers and some 54 million (5) erstwhile applicants for credit facilities
The Challenges
Considerable challenges are foreseen with regard to improving the cybersecurity posture of critical assets. These include:
- Critical infrastructure is very often interconnected and complex in nature
- Many of the assets are legacy systems. Many are deemed outdated and insecure as it is relatively difficult to protect old and ageing systems
- Many of the assets are partially connected to new devices thereby increasing the complexity of their architecture and making them harder to protect
- Most of the deployments are privately owned and require the private and public sectors to collaborate to protect against threats
Paolo Alto (2) lists the touchpoints for critical assets care.
- Protecting unpatched commercial off-the-shelf (COTS) systems from known cyberthreats
- Protecting against zero-day methods to disrupt production and exfiltrate data
- Managing disjointed, distributed network and endpoint security products
- Securing unmanaged, unsecured IoT and BOYD devices.
- Insuring operations and security of remote outside-plant environments with security solutions
What’s being done?
Considering the impact such attacks can have on both life, property and national security, Governments the world over are taking a tough stance against these attacks. In the US, President Joe Biden’s directive to safeguard critical infrastructure was followed up with the identification of 16 sectors that merit special care regarding ransomware attacks. The attack, among others, prompted the Biden administration to determine 16 critical infrastructure sectors within the US and warn against ransomware attacks targeting them. The President’s remarks were aimed at global leaders urging them to cooperate in protecting critical infrastructure against increasing attacks. The National Institute for Standards and Technologies (NIST) has enforced the IoT Cyber Security Improvement Act to ensure the public sector in the US extends robust protection and security capabilities in all IoT deployments.
The European Union Agency for Cybersecurity (ENISA) mandated cybersecurity guidelines and standards for IoT supply chains in 2020, with a view to ensuring private companies operating critical infrastructures achieve recommended cybersecurity preparedness.
Germany’s government is currently implementing measures to improve the security of its communication systems with a view to protecting critical information, and the Australian Signals Directorate (ASD) has issued “Strategies to Mitigate Cyber Security Incidents” guidelines to help Australia’s critical infrastructure in order to protect the nation’s digital assets.
The Indian Government continues to be on high alert with regard to possible attacks on its state-owned refineries across the country.
Final Words
Statistics show that cybercriminal and cyberterrorist acts on critical infrastructure continue to proliferate, with both financial gain and political/national damage in mind. 2021 witnessed by far the biggest attacks. Trend Micro (6) reported that nearly 89% of organizations that manage critical infrastructure suffered a cyberattack in 2021. Education and research were the top targets for cyber attackers in 2021, with a 75% increase from 2020, according to research by Check Point Software Technologies.
Yet despite the worrying trends there seems to be a widespread lack of awareness about attacks on critical infrastructure. The study of over 2,000 (1) participants across the United States, revealed that end-users are less concerned with attacks that target critical infrastructure and operational technologies. 21% of individuals have not heard of the ransomware attack on Colonial Pipeline. Even more concerning is the lack of technical know-how to identify, thwart and remediate these threats. Insights from this report show that 48% of companies (6) that admitted disruptions didn’t go through with improvements and efforts to minimize future threats. Moreover, 40% of respondents admitted they weren’t able to block the attack coming their way.
All of which goes to reinforce the thinking that protection from cyber threats to critical infrastructure has assumed the status of being an increasingly uphill battle.
Aurora Systems Consulting Inc. offers a suite of cybersecurity services to help protect your organization. To learn more, reach us at sales@aurorait.com or call +1 888 282 0696
References:
- 8 Cyber Attacks on Critical Infrastructure – CyberExperts.com
- What Is Critical Infrastructure? Why Does Critical Infrastructure Security Matter? – Palo Alto Networks
- Top 7 Cyberattacks on Critical Infrastructure – FirstPoint (firstpoint-mg.com)
- Cyber Attacks on Schools: Who, What, Why and Now What? (govtech.com)
- T-Mobile hack: Here’s what we know about the massive data breach – CNET
Critical Infrastructure Cyber Attacks: A New Form of Warfare (dataprot.net)
