Just how worried should we be about a cyber or physical attack on our national infrastructure? Chris Price reports on how the pandemic, the growth of remote working and IoT are putting assets at risk.
On February 2nd the largest ever compilation of breached usernames and passwords was leaked online. Known as COMB, it contained 3.2 billion unique email/password pairs, including the credentials for the Oldsmar water plant in Florida (not pictured here).
Three days later an unknown attacker entered Oldsmar’s computer systems and attempted to manipulate the pH in the city’s water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times. Although the attack was foiled and the lye levels returned to normal, the incident highlighted the ease with which cybercriminals are increasingly able to target critical national infrastructure (CNI).
In this particular case it was thought that the attacker managed to get into Oldsmar’s systems via the plant’s TeamViewer software which allows supervisors to access the system remotely. “As recently as August 2020, our analysts identified several high-risk vulnerabilities and exposures publicly associated with TeamViewer,” claims Evan Kohlmann, Chief Innovation Officer of threat intelligence platform Flashpoint. “This includes an example allowing a malicious website to launch TeamViewer with arbitrary parameters, capturing the victim’s password hash for offline password cracking.”
However, the problem isn’t unique to TeamViewer. As far back as 2013 the Department of Homeland Security (DHS) confirmed that an Iranian hacker group known as ‘SOBH Cyber Jihad’ accessed computer systems controlling the Bowman Avenue Dam in New York at least six times, accessing sensitive files containing usernames and passwords. Similarly, in 2015 and 2016 Ukraine suffered a series of attacks on its power grids believed to be the work of a Russia-sponsored advanced persistent threat group called Sandworm, which left 225,000 Ukrainians in sustained blackouts for several hours at a time.
Extremely vulnerable
In July 2020, a CyberNews investigation highlighted just how easy it would be for an attacker to get into critical US infrastructure via unsecured industrial control systems (ICS). This, it claimed, could be done simply by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Explains CyberNews Senior Researcher Edvardas Mikalauskas: “Our research has previously highlighted that many ICS panels in the US are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector.”
“Physical security surrounding critical national infrastructure, such as power plants, is usually very impressive. Unfortunately, the same cannot be said of their cyber security.”
But just how worried should we be about potential attacks on our CNI? According to Joseph Carson, Chief Security Scientist at Thycotic which ethically hacked a power station several years ago as a red teaming exercise, “such attacks are extremely rare compared to the constant flow of standard cybercriminal activity.” He believes for most cybercriminals the risk is simply too great for too little potential reward. “For one thing, attacking CNI assets normally requires much more specialised knowledge and tools compared to a standard commercial business. More importantly though, most threat actors are motivated by simple profit and there is little direct financial gain in disrupting CNI.”
However, there are signs this is beginning to change. “Unfortunately, I see a rise of CNI attacks not just in the US but across the UK and the rest of Europe too,” says Scott Nicholson, Director of cybersecurity and data privacy specialist, Bridewell Consulting and a consultant for the UK’s National Cyber Security Centre (NCSC).
Whan an exciting piece. All this stuff is very concerning. I knew about the water plant incident, and such a thing was crazy.
CNI must indeed improve its cyber protection and security, as we’re witnessing a change in society, where everything will be interconnected even more than before.