Criminals are tirelessly attacking critical infrastructure around the world and compromising the Industrial Control System and the Supervisory Control and Data Acquisition systems that control these infrastructures, writes Anthony Perridge. In 2010, the Stuxnet worm infiltrated numerous control systems and damaged nuclear power plants. Five years later, the BlackEnergy malware attack on the Ukrainian power supply became the first cyber attack that caused a blackout.
However, the term critical infrastructure not only covers the power grid, but also areas such as the military, manufacturing, healthcare, transport, water supply and food production. In 2017, the outbreak of the ransomware named WannaCry affected several healthcare companies. In 2018, the US CERT, together with the National Cyber Security Centre and the FBI, issued a warning that the Russian Government had launched an attack on critical infrastructure in various industries.
In addition, for several years now, threats to air travel booking and public transit systems have been making the news headlines. In early 2019, the ransomware variant LockerGoga began infiltrating and disrupting the production processes of chemical companies and aluminium producers.
According to an investigation conducted by (ISC)2, there’s a shortfall of nearly three million cyber security experts worldwide, and nearly 60% of the 1,452 survey respondents believed that their company was at medium to high risk of virtual attacks. The existing security teams are barely able to handle the myriad alerts. Moreover, they’re often not sufficiently represented at senior management level to receive the necessary attention and support for important initiatives. For example, only 31% of organisations in the aviation industry have a dedicated CISO.
To make the most of their existing resources, security teams must be able to understand and prioritise the threat data and alerts within the context of their organisation. This gives teams the opportunity to easily and clearly communicate relevant security issues to management and justify the additional resources needed in order to improve security processes.
More and more attacks use multiple vectors in parallel and make the defence more difficult. The US CERT warning cited above mentions a variety of these used TTPs, including spear-phishing e-mails, watering hole attacks, credential capture and specific attacks on Industrial Control System and SCADA infrastructures.
At the same time, the attack surface is growing as critical infrastructure operators increasingly migrate to the cloud, introducing mobile devices and the Internet of Things (IoT). More than two-thirds of IT executives in the oil and gas industry said they are more vulnerable to security breaches because of digitisation (the provision of digital technologies for advanced automation).
Companies can protect their digital landscape against threats only if they have an overview of the entire infrastructure and the ability to continuously evaluate and prioritise threat intelligence.
Modern security features
Many ICS and SCADA systems have been in use for years and don’t have modern security features that can protect against current threats. The number of reported weaknesses in the production area increased significantly in 2018 compared to the previous 12 months. However, these systems are rarely updated as operators fear interruptions.
Despite increasing attacks on critical infrastructure, protection has not been extended. Rather, it has become even worse as the devices and systems are increasingly connected to the Internet without any attention having been paid to the security implications. Although those responsible for IT and Operational Technologies have different goals, processes, tools and concepts, they must work together as their environments grow closer.
Surveys among security officers say that 75% of businesses assume they will be the victims of cyber security attacks on OT/Industrial Control Systems. However, only 23% adhere to the industry’s minimum legal requirements for cyber security.
Impact on the business
Headlines about attacks on critical infrastructures are quickly portrayed as a sensation. It’s often difficult to find the facts behind the report and to understand the impact of a large-scale cyber campaign on the business. It’ not enough to update only the Industrial Control System and SCADA devices. With a trusted threat intelligence platform, companies can identify and respond to the truly relevant threats.
Tips to help organisations minimise their cyber risk:
*Consolidate all sources for external (such as OSINT) and internal (SIEM, for example) threat and vulnerability data in one central repositori
*Collect security-related information about the entire infrastructure (local, cloud, IoT, mobile and legacy systems) by integrating vulnerability data and threat intelligence in the context of active threats
*Filter non-relevant information, avoiding overload due to too many alerts, and easily navigate massive amounts of threat data to focus on critical resources and vulnerabilities
*Prioritise the most important data depending on the individual situation, with the possibility of dynamic adaptation as new data and insights become available
*Proactively search for malicious activity that can demonstrate malicious behaviour, Denial of Service attacks and other disruptions and potential harm to customers, employees and key components alike
*Focus on aspects beyond reactive measures to aid detection, response and recovery
Anthony Perridge is Vice-President (International) at ThreatQuotient