The last twelve months has seen an uptick in cyber-attacks with defences falling. Earlier this year there were attacks on three German wind-energy firms – Deutsche Windtechnik AG, Nordex SE, Enercon GmbH – that disrupted their operations and, in the case of Nordex, forced it to shut down its information technology systems. Staying with Germany, there were attacks against two logistic companies that are subsidiaries of the Marquard & Bahls logistics group – Oiltanking GmbH (which supplies Shell Deutschland GmbH) and Mabanaft GmbH. In India, a flood monitoring system run by The Water Resource Department was hit forcing it offline. And it would be remiss not to mention the attack against Colonial Pipeline in 2021.
And the organisation itself doesn’t have to be affected as a cyberattack on a supplier can be just as damaging as Toyota experienced in March this year when it had to stop production following a cyberattack against Kojima Industries that supplies it with plastic parts and electronic components.
Speaking at Infosecurity Europe, a cybersecurity conference held in London at the end of June, Marsha Quallo-Wright, deputy director for critical national infrastructure at the National Cyber Security Centre (NCSC), said that the impact of a ransomware attack to critical infrastructure means that this attack vector is “potentially as harmful as state-sponsored attacks.” Of course, it’s not just ransomware that poses a threat as highlighted by the Department for Digital, Culture, Media and Sport. In its policy paper titled ‘2022 cyber security incentives and regulation review’ it said: “For every highly sophisticated hostile state attack such as SolarWinds, there are hundreds of low-level phishing, denial of service, and ransomware attacks.”
So how can the utility sector, and indeed all critical infrastructure operators, adequately defend themselves from threat actors determined to cause damage and disruption?
Digital transformation has introduced risks
We are seeing dramatic change in the utility sector, not least in the move to harness natural energy versus fossil fuels. Wind, solar, water – these are the power of the future. And alongside this revolution is digital making it all possible. Driven by the need for both efficiency and resiliency, digital transformation is helping shape and create new business models and ecosystems, deliver new products and services and operate more efficiently. A key component of this is the underlying infrastructure.
While physical devices are typically controlled by operational technology (OT), increasingly these systems are connected and even monitored by IT systems. To enable this, new digital compute platforms and development shifts — such as cloud, mobile, SaaS and DevOps empower us to move from concept to capability on a daily basis.
However, while digital transformation delivers immense benefits, it also hugely expands the attack surface organisations have to defend. Attackers have capitalised on these converged networks, as illustrated above, to move laterally from one system to another. They’re able to compromise just one device, and then move laterally, from applications to systems to networks and even across the divide from IT to OT and transversely, meaning an attack can, and does, render systems inoperable.
Addressing attack paths
The harsh truth is that the vast majority of attacks are preventable. Threat actors rely on leveraging unpatched, legacy vulnerabilities across a wide spectrum of software solutions to infiltrate organisations. In the case of ransomware, research from Tenable’s Security Response Team determined that over 30 known but unpatched vulnerabilities were leveraged by Conti (a ransomware gang) and its affiliates alone. Addressing these flaws would dramatically reduce the number of attack paths threat actors can exploit.
While that sounds simple, the reality is a little more complex particularly for critical infrastructure operators. Operators require a holistic view of both IT and OT environments, the interdependencies that exist for critical functionality, to be able to identify where weaknesses and vulnerabilities exist. When it comes to our physical OT environments, it’s important to dig deeper than simply listening to network traffic but actively querying devices in their native protocols.
Once a holistic viewpoint is established, the next step is to identify what would cause theoretical versus practical damage. From this stance steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations, to nullify attacks.
Knowing where to start can seem insurmountable, but there are a number of resources at hand. The UK’s NCSC published a joint cybersecurity advisory with key cyber agencies in Australia, Canada, New Zealand and the United States that underscores a key trend regarding the most routinely exploited vulnerabilities. The reason advisories and guidance are vital for organisations is it provides strong intelligence about which threats bad actors are actively exploiting.
Return on investment
In the case of Colonial Pipeline, held to ransom in May 2021, it reportedly paid its hackers $4.4 million to regain access to its systems. Some of this money, purportedly $2.3million, was later recovered by the Department of Justice. However, the ransom is just one financial implication of the attack. There are man hours spent investigating and resolving the outage, communicating to external audiences, the reputational damage, just to name a few. It’s not just the affected organisation that pays the price as fuel costs spiked in the US in the days after the attack as a result of the impact to supplies, affecting citizens and local businesses alike.
In the UK and across Europe, there are regulatory ramifications too. The Network and Information Systems Regulations 2018 are a set of regulations that were originally derived from an EU Directive that looks to ensure economy resiliency against cyber-attacks by raising the level of security of providers of essential services that citizens and businesses rely on. In the UK, non-compliant organisations face fines of up to £17 million.
Benjamin Franklin is credited as saying “an ounce of prevention is worth a pound of cure” and this would certainly hold true with cyber-attacks. Protecting everything can be soul destroying given it’s practically an impossible task. Instead, organisations need to reduce effort by focusing on what matters most. Having visibility in core applications, systems and networks allows security teams to assess for vulnerabilities that can either be addressed, when possible, or monitored for indicators of compromise, before damage occurs. This negates the need for complex and difficult detection solutions that can only detect what most organisations already know exists.
Doing nothing is not an option. It’s imperative that organisations step up and stop criminals from infiltrating their infrastructure. By addressing the known but unpatched vulnerabilities threat actors target, the vast majority of attack paths will be closed off. This prevents compromise, malware infiltration and/or exfiltration of data.