Nation State-Sponsored Hacking: Compounding Cyber Security Risks

Posted On 15 Feb 2018
Comment: Off

Such is the prevalence of cyber attacks that all companies are at risk. There’s a higher than average likelihood of being hit if a company holds digital data on customers and – not surprisingly – in those businesses where senior managers fail to prioritise cyber security. As Paul Darby explains, organisations for whom online services are not seen as core to their business are also more vulnerable.

Last April, the Government announced that almost half (46%, in fact) of all UK businesses had been hit by a cyber breach or attack in the past 12 months. The Cyber Security Breaches Survey 2017 found that nearly seven-in-ten large businesses identified a breach or attack, with the average cost to those firms over the year being £20,000. In some cases, that total reached millions.

Manufacturing, engineering and utilities companies are slowly coming to the realisation that what they had previously considered to be entirely secure and separate Control Rooms and networks can be breached by something as simple as an Internet of Things-enabled coffee machine being connected mistakenly to the internal network instead of to an isolated Wi-Fi connection. This happened recently at a chemical engineering plant which, it’s thought, was then infected by the now notorious WannaCry ransomware.

Industrial organisations from factories to power plants prioritise availability above all else. Operating technology (OT) is designed to run constantly because any interruption could lead to serious production delays and onerous financial implications. OT is traditionally open and robust and very much built for safety because engines, motors and processors present a physical risk to operators.

Conversely, IT is less concerned about physical safety and much more worried that a breach of computer networks could wipe out essential data or otherwise allow hackers to gain access to sensitive control systems.

Clearly, a balance needs to be struck between ensuring uptime and guarding against the risk of cyber attack. As OT and IT systems continue along the convergence path, clearly this becomes an increasingly urgent matter.

No longer immune

The industrial sector can no longer think of itself as being immune, or somehow less appealing to hackers than banking or the commercial sector. These attacks are motivated not just by money, but also to cause the maximum amount of disruption. What could be more appealing to a rogue nation state than shutting down a vital production line, disrupting a water supply or turning off the power to an entire city?

An alarming and increasing number of incidents prove the point. In July last year, The Times reported that senior engineers at the Electricity Supply Board, which serves both Northern Ireland and the Republic, were sent e-mails containing malicious software. The intention was to infiltrate control systems in order to take out part of the electricity grid.

News reports last year also highlighted how hackers broke into a water utility company’s control system and altered the levels of the chemicals being used to treat tap water. This was enabled by ageing operational control systems and log-in details that were stored on the front-end web server. While there’s no indication that the attackers understood how the flow control system in the company actually worked, this didn’t deter them in the least from modifying application settings.

Meanwhile, breaches that are financially motivated continue apace. The same WannaCry attack, which seriously affected NHS systems back in May (and prompted the coffee machine incident), then went on to cause disruption at Nissan’s production plant in Sunderland and later at Honda, where production was halted in Tokyo for an entire day.

Work of nation states

While it’s challenging for those operating outside of intelligence organisations to be able to categorically deny or confirm from where an attack originates, there have been a number of claims that the WannaCry ransomware was the work of a nation state. Recently, Ben Wallace (the Minister of State for Security) also added weight to this claim by stating that the UK Government believes “quite strongly” that the attack came from a foreign state.

What all of these incidents indicate is that, even with traditional endpoint and perimeter security in place, it takes only one phishing e-mail to be opened, one vulnerable application to go ‘unpatched’ or one set of log-in details to be out of date and the entire network is wide open for cyber criminals to exploit. With nation states sponsoring the development of advanced cyber tools and techniques, traditional security infrastructures can be easily breached.

Both WannaCry and Petya malware attacks spread quickly and have also been attributed to nation state-sponsored hacking. Major – and some not so major – powers employ networks of highly-trained and very capable computer hackers to probe the defences of other nations and/or develop advanced attack tools. Many of these tools have made it far easier for less talented hackers to launch more sophisticated attacks, in turn accelerating the obsolescence of traditional security measures.

The explosion in the availability of tools combined with the increasing frequency of attacks against systems run by engineering, industrial control and utilities companies signals that point at which we’re entering a new era of critical breaches and vulnerabilities beyond anything imagined by most of today’s Chief Information Security Officers.

Present day Ukraine

The Ukraine has suffered repeated blackouts, including one blamed on a sophisticated cyber attack which left no less than 700,000 homes without water or electricity in the coldest months of winter. This occurrence took place for the second year in succession.

After investigating, the Ukrainian authorities blamed Russia, a country with which Ukraine has been in conflict for years, although Moscow has denied any involvement. The hack affected power company networks and eventually compromised a VPN used for remote access, including the highly specialised industrial control software that affords operators remote command over equipment like circuit breakers.

It’s exactly this type of national cyber campaign that has led our own Department for Digital, Culture, Media and Sport to launch a consultation exercise which is designed to make Britain’s essential networks and infrastructure safe, secure and resilient against incidents of this nature.

One possible outcome of the EU’s upcoming General Data Protection Regulation could be financial penalties for those companies who neglect to implement effective cyber security measures. Currently, it’s reported that these penalties could reach into the millions of pounds bracket or up to 4% of global turnover. If organisations haven’t given appropriate consideration to the risks they face, implemented security measures and engaged with competent authorities then they’re likely to be fined if attacks prove successful.

Certainly, our Government’s five-year National Cyber Security Strategy does compel essential infrastructure service providers to evaluate and address their security systems. Any network, system and server vulnerabilities will need to be thoroughly assessed and members of staff educated or trained to enforce strict rules. Unwittingly, staff can be a weak link in the security chain as the WannaCry ransomware and NotPetya attacks so clearly illustrated.

Zero trust approach

Nation state-sponsored attacks bring with them an added layer of complexity. Cyber espionage is notoriously difficult to deal with because the enemy is unknown and, when that enemy’s also hidden by state assets, this makes the likelihood of detection even more doubtful.

Organisations will find it hard to trust anyone, which means that until there’s a more reliable method for identifying attackers, the only way in which to deal with today’s threats is by adopting a zero trust approach.

This is enabled by using powerful technology that delivers granular access controls to assets and programmes based on trust, earned through a number of key metrics. Trust should be measured across all devices, software, users and systems at all times.

Connections should be permitted only on the basis of having a deep knowledge of where a connection initiates from and where it’s going to, validation of relevant credentials and continuous monitoring to ensure that access is restricted only to approved assets.

With the cloud computing revolution firmly underway, companies are introducing more devices to take advantage of remote access to their systems. While this means easier facilitation for remote employees, it also means that data is potentially being delivered across unsecured networks, or through a VPN, which gives access directly. The net result of this can be the exposure of valuable information.

Paul Darby is Regional Director (EMEA) at Vidder

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.