How to protect our critical infrastructure from attack

Just how worried should we be about a cyber or physical attack on our national infrastructure? Chris Price reports on how the pandemic, the growth of remote working and IoT are putting assets at risk.

On February 2^nd the largest ever compilation of breached usernames and passwords was leaked online. Known as COMB, it contained 3.2 billion unique email/password pairs, including the credentials for the Oldsmar water plant in Florida (not pictured here).

Three days later an unknown attacker entered Oldsmar’s computer systems and attempted to manipulate the pH in the city’s water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times. Although the attack was foiled and the lye levels returned to normal, the incident highlighted the ease with which cybercriminals are increasingly able to target critical national infrastructure (CNI).

In this particular case it was thought that the attacker managed to get into Oldsmar’s systems via the plant’s TeamViewer software which allows supervisors to access the system remotely. “As recently as August 2020, our analysts identified several high-risk vulnerabilities and exposures publicly associated with TeamViewer,” claims Evan Kohlmann, Chief Innovation Officer of threat intelligence platform Flashpoint. “This includes an example allowing a malicious website to launch TeamViewer with arbitrary parameters, capturing the victim’s password hash for offline password cracking.”

However, the problem isn’t unique to TeamViewer. As far back as 2013 the Department of Homeland Security (DHS) confirmed that an Iranian hacker group known as ‘SOBH Cyber Jihad’ accessed computer systems controlling the Bowman Avenue Dam in New York at least six times, accessing sensitive files containing usernames and passwords. Similarly, in 2015 and 2016 Ukraine suffered a series of attacks on its power grids believed to be the work of a Russia-sponsored advanced persistent threat group called Sandworm, which left 225,000 Ukrainians in sustained blackouts for several hours at a time.

Extremely vulnerable

In July 2020, a CyberNews investigation highlighted just how easy it would be for an attacker to get into critical US infrastructure via unsecured industrial control systems (ICS). This, it claimed, could be done simply by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Explains CyberNews Senior Researcher Edvardas Mikalauskas: “Our research has previously highlighted that many ICS panels in the US are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector.”

“Physical security surrounding critical national infrastructure, such as power plants, is usually very impressive. Unfortunately, the same cannot be said of their cyber security.”

But just how worried should we be about potential attacks on our CNI? According to Joseph Carson, Chief Security Scientist at Thycotic which ethically hacked a power station several years ago as a red teaming exercise, “such attacks are extremely rare compared to the constant flow of standard cybercriminal activity.” He believes for most cybercriminals the risk is simply too great for too little potential reward. “For one thing, attacking CNI assets normally requires much more specialised knowledge and tools compared to a standard commercial business. More importantly though, most threat actors are motivated by simple profit and there is little direct financial gain in disrupting CNI.”

However, there are signs this is beginning to change. “Unfortunately, I see a rise of CNI attacks not just in the US but across the UK and the rest of Europe too,” says Scott Nicholson, Director of cybersecurity and data privacy specialist, Bridewell Consulting and a consultant for the UK’s National Cyber Security Centre (NCSC).

Security v Safety dilemma

Indeed, in its recently published CNI Cyber Report: Risk and Resilience, Bridewell said there is a massive gap between the perceived threat of a cyber attack and the actual threat to CNI. While 78% of organisations are ‘confident’ that their OT (operational technology) is protected from cyberthreats – and 28% very confident – it seems CNI is facing a ‘cybersiege’. According to Bridewell’s research of 250 UK IT and security decision-makers across five key CNI sectors (aviation, chemicals, energy, transport and water), 86% of organisations have detected cyber attacks on their OT/ICS environments in the last 12 months, with nearly a quarter (24%) experiencing between one and five successful attacks. Water and transport have been the sectors which have experienced the most successful attacks. Similarly, IBM reported a 2000% increase in cyber security incidents targeting OT in 2019, most of them involving Echobot IoT malware (download IBM’s annual X-Force Threat Intelligence Index here).

For Terry Olaes, Technical Director, North America of computer security company Skybox Security, the latest OT attacks signal a change in intent among cybercriminals, as well as raising questions about increasing critical infrastructure vulnerabilities. “Managing critical infrastructure comes with several challenges,” he says. “It entails massive environments that can’t experience downtime and where safety is often prioritised over security. As a result, vulnerability and remediation on OT devices only occurs around ‘once or twice a year, leaving the back door wide open to nefarious attackers to our critical infrastructure.”

Bridewell’s Scott Nicholson agrees: “Within an industrial controls context consistency and availability of the service are key, whereas upgrading software is seen as risky. Patching systems and keeping them updated can be very complex for OT organisations,” he adds.

A further problem is the demand for internet connectivity, which has been accelerated in part by the COVID-19 pandemic. Whereas traditionally many organisations within CNI sectors have managed Industrial Control Systems (ICS) and critical applications on their own closed private network, this is beginning to change. The rise of the Internet of Things (IoT) has brought the benefits of connectivity to the fore and there is a growing need to drive convergence between critical operational technology, IT networks and the internet for remote management. However, inevitably this simply increases the potential attack surface as well as bringing a wider range of threats.

“For many critical infrastructure facilities, COVID-19 forced an abrupt shift to employees working from home, meaning that security teams had to make production control networks accessible remotely to keep systems up and running,” explains Andrea Carcano, co-founder of Nozomi Networks. “However, unfortunately remote access is often the easiest path for attackers to infiltrate a network.”

Adds Scott Nicholson: “Their networks need to be segmented from the internet as much as possible.” This can be done using the Purdue model – a hierarchical structure for industrial communications which was first developed in the 1990s.

Impressive physical security not enough

According to Thycotic’s Joseph Carson, physical security surrounding critical national infrastructure, such as power plants, is usually very impressive. Unfortunately, the same cannot be said of their cyber security. “You’ve got gates, armed guards, all these sensors and perimeter detection systems but when you look at the cyber security side of things it’s really quite concerning”, he says. “Not only is the use of remote desktop solutions a threat, but I’ve seen audio streaming software installed which implies operators are able to install their own software for listening to music while monitoring critical infrastructure.”

Nor are the challenges simply going to go away. The growth of IoT – in particular the rise of Industry 4.0 with its increasing demand for drones and autonomous vehicles – means the potential for attack is only going to get greater. At the same time, the continued demand for remote working as a result of the pandemic, provides additional risk as the recent TeamViewer attack on the Florida water treatment facility showed. Indeed, the fight against COVID itself is even providing a target for cyber attackers.

Nozomi Networks’ Andrea Carcano concludes: “We’ve continued to see threats to critical infrastructure rise over the last few years and we don’t expect that trend to end anytime soon. Recent attacks on healthcare organisations and those in the fight against COVID are dramatic reminders that the systems we reply on are high value targets that are vulnerable and at constant risk of attack.”

5 steps to help protect critical national infrastructure from attack  

• Secure remote access – This is often the easiest path for attackers to infiltrate a network. Managers need to secure remote access by using endpoint protection, good password hygiene and network firewalls.
• Create inventory of assets – If you can’t see all the devices on the network, then it’s impossible to protect or segment the network for greater resilience. By maintaining a real-time inventory of all network assets, security teams can achieve accurate visibility into their devices, connections, communications and protocols.
• Identify and patch vulnerabilities – Industrial networks contain thousands of OT and IoT devices from a number of vendors. Unfortunately, most aren’t designed for the level of security required for critical infrastructure environment. Tools that identify system vulnerabilities, using the National Vulnerability Database (NVD), can help determine which devices are at risk, prioritise and recommend firmware updates.
• Monitor for anomalies – Automated network anomaly detection solutions leverage artificial intelligence to run anomaly detection against the actual parameters that are used to control the industrial process.
• Integrate OT and IT networks – OT knows how to meet production targets and keep the plant running safely while IT can address networking and cybersecurity issues. Combining both can give greater resilience, reducing blind spots and security risks surrounding highly connected industrial control systems.