Cybersecurity breaches in critical infrastructure networks are increasing - appearing frequently in recent headlines. One recent high-profile case is the Colonial Pipeline shutdown, a ransomware attack by cybercriminal group DarkSide, that froze the flow of 2.5 million barrels of oil product.
This attack occured in early May 2021, and resulted in a $4.4 million ransom paid completely in cryptocurrency. The ransom was later partially recovered.
Only a few months ealier, in February 2021, an unknown hacker gained remote acccess to a Florida water supply and began dumping sodium hydroxide (lye) into the system. Luckily, a plant employee noticed the discrepency and immediately reversed levels to normal.
Still, the implications are troubling and critical infrastructure providers should be aware and alert. Experts worry that detrimental utility cyberattacks - like those that caused massive blackouts in sub-zero temperates in Ukraine - could also strike the U.S.
The scope of the threat is daunting. However, with better understanding of new cybersecurity threats and prompt action - critical infrastructure providers can own the solution.
What is cybersecurity?
Cybersecurity is the protection of data, networks, and devices.
Most people are familiar with basic cyber hygiene: antivirus software, firewalls, and creating unique passwords. However, cybersecurity for critical infrastructure (CI) is more complicated.
CI providers manage networks with thousands of assets, spanning hundreds of miles and sites. Unlike many other industries, critical infrastructure networks also contain both IT (Information Technology) and OT (Operational Technology).
Let’s unpack these terms.
Information Technology (IT)
IT systems include computers, servers, and mobile devices, as well as the information flowing between them. Think of a standard office - the network linking everything together, and your connection to the internet. That’s IT.
Securing IT systems is a standard goal for most businesses, but for utilities and critical infrastructure there’s much more to consider.
Operational Technology (OT)
OT includes the physical devices or software that control operations in the real world: pumps, valves, meters, robotics, etc.
If an OT system is compromised, hackers can…
- Disrupt services
- Endanger employees and customers
- Damage or destroy equipment
- Harm the environment
It’s easy to assume that a computer can be hacked, while a power plant control room is safe. However, this approach is outdated and neglects OT vulnerabilities.
The modern convergence of IT and OT explains, at least in part, the increase in cyberattacks on critical infrastructure.
Understanding the Threat to Critical Infrastructure
Critical infrastructure spans tens of thousands of miles, involves many remote sites, and requires multiple networks with complex software and hardware needs. The sheer size and scope of these systems offers hackers many exploitable entry points.
Infrastructure is vulnerable and cyberattacks are increasing
A 2019 report by Siemens and the Ponemon Institute paints a troubling picture of surging cyberattacks and under-prepared utility providers. Of the utility professionals surveyed:
- 54% expect an attack on critical infrastructure in the next 12 months
- 25% report mega attacks, whose scope and sophistication suggest the involvement of nation-state actors
- 56% experience at least one shutdown or operational loss each year
- 42% assessed their cyber readiness as high
- 34% rated their means to respond to an attack as high
With the convergence of IT and OT, cybercriminals can now steal data and tamper with physical assets in the field. For example, it is now possible to shut down or even destroy a wind turbine solely through remote access. Naturally, this is causing alarm.
In a survey by West Monroe, a majority of utility leaders agreed that infrastructure cybersecurity is a top concern.
Critical infrastructure providers are facing an unprecedented challenge and the stakes are high. How do you protect a critical system that can be compromised by a single infected USB inserted into a company computer?
The answer is complex, but understanding the specific context around critical infrastructure cybersecurity is a good first step.
Why is critical infrastructure being targeted?
Though the convergence of digital technology and analog assets provides significant operational benefits - it also creates vulnerabilities.
In the past, a remote attack on IT systems may have resulted in data loss and system damage. This could injure a company’s reputation or paralyze operations, but the OT system would remain intact.
Hackers could not, for example, access generators or chemical levels. In this scenario, securing IT was the sole concern.
However, as utilities transition to the cloud, remote access, smart devices, and the Internet of Things (IoT) - IT and OT are no longer separate.
“Air-gapping” - keeping an OT system offline to deter interference - is no longer a realistic cybersecurity solution.
According to McKinsey, IT and OT networks may even converge completely in the future. Technology has shifted dramatically, and hackers can now access what they only dreamed of targeting before.
The 5 Most Common Types of Cyberattacks
With digital transformation and the complexity of asset networks, it’s now more important than ever that critical infrastructure providers bring cybersecurity into the 21st century.
Meeting this challenge effectively means understanding the many ways in which CI providers are vulnerable, starting with the most common types of cyberattacks.
Phishing / Spear Phishing
Phishing involves a cybercriminal sending communication, usually emails, to company employees: mimicking a trusted source.
These emails prompt the employee to provide their credentials, or download malicious software disguised as a legitimate file. Thinking the email is from a colleague, the employee accidentally provides system access.
Spear phishing is a precise form of this practice. Hackers invest more energy into researching a company and its employees, so their emails appear even more credible.
In the news
In 2015, hackers deployed a phishing email that appeared to come from the Ukrainian parliament. Using malware in an attached document, they gained remote access to the utilities OT network - eventually causing severe blackouts during sub-zero temperatures.
Sidestep phishing efforts by taking the time to slow down:
- Read all emails with a critical eye
- Double-check an email’s origin before acting
- Review external links and attachments before clicking
Zero Day Attacks
Zero day attacks occur when weakness is discovered in a network, software, or hardware, and hackers strike before the issue is solved.
Even if a solution has been issued, hackers may still leverage the vulnerability. With zero-day attacks, organizations are often unaware of the danger or are too slow in updating or patching their systems.
In the news
The notorious WannaCry ransomware hack took advantage of a weakness in the Microsoft Windows operating system: encrypting users’ data and demanding ransom.
Computers were susceptible if they were running Windows and hadn't updated recently. 25% of utility professionals were affected by the WannaCry or NotPetya attacks (NotPetya also used a Zero Day vulnerability).
Avoid Zero Day attacks by always updating your systems and applying patches.
Brute Force Attacks / Password Spraying
Brute force attacks when a hacker enters a large number of simple phrases and common passwords for a single company account. If they’re lucky and you don’t have a complex password, they’ll get in.
On the other hand, password spraying is when a hacker tries a small number of common passwords across many different accounts - hoping that at least one company account is vulnerable to their pre-selected passwords.
In the news
Though simple, these attacks are often successful. The Russian group APT28 (also known as “Fancy Bear”) has used password spraying in attacks on U.S. targets in the past.
Guarding against these attacks is straightforward - create strong passwords for your accounts and enable multi-factor authentication.
Denial-of-Service (DoS) Attacks
Denial-of-Service attacks bombard a device or network with traffic. Overwhelmed, a system may crash or - as it manages all the hacker’s requests - be unable to address legitimate traffic from employees or customers.
A DoS attack causes paralysis, but it’s distinct from other cybercrime: attackers aren’t attempting to enter the system.
Hacktivists and foreign governments may organize a DoS attack to cause damage, not to make a profit. A hacktivist is ideologically opposed to a utility’s business, while a foregin government’s aim is exerting control over U.S. critical infrastructure - their motives aren’t financial.
In the news
Globally, DoS attacks on utilities increased sevenfold during the summer of 2020.
Protecting yourself from DoS attacks requires a robust response plan. Keep reading to learn more about boosting your organization’s cybersecurity.
Malware is malicious software that, once in your system, can spy on communication, steal information, damage or destroy data, and encrypt files. It comes in many forms, and can enter your device in many ways. Phishing, for instance, often results in malware installed on your computer.
Ransomware, a growing concern for critical infrastructure, is an example of malware. If allowed on a device, ransomware will encrypt data. This prevents you from accessing the files, potentially crippling your business.
Hackers will then demand a ransom to loosen the chokehold on your assets. However, even when this ransom is paid, hackers may not decrypt your files, and your system could be permanently damaged.
In the news
Ransomware has been a problem long before the shutdown of the Colonial Pipeline. The BBC reports that nearly 2,400 U.S. entities were targeted by ransomware in 2020, and the global cost is estimated to be between $42 billion and $170 billion.
Protecting against malware isn’t easy because malware can enter your system through so many avenues. A cybercriminal devoted to undermining a network, potentially even equipped with resources from a foreign government, is a significant threat.
If there’s a way into your network, they’ll find it. So how do you match that?
Make security a top priority thoughout your organization. Implement, at the very least, basic cyber hygiene practices such as firewalls, strong passwords, and antivirus/malware software.
To be truly effective though, critical infrastructure providers must fold cybersecurity into the fabric of their organization. Read on to learn more about preventing critical infrastructure cyberattacks.
5 Ways to Prevent Critical Infrastructure Cyberattacks
As utilities and other critical infrastructure enter the 21st century through green energy and grid modernization, a modern approach to cybersecurity is also in sight.
Foster a culture of cybersecurity
In the end, human beings protect your organization.
With phishing and zero day attacks, your system is compromised when a single employee downloads a file carrying malware, provides their credentials to a cybercriminal by mistake, or fails to patch or update their devices.
And with brute force attacks and password spraying, your system is only as strong as the weakest password.
Most breaches stem from lack of training, missing protocols, or human error. According to Utility Dive’s 2021 State of the Electric Utility (SEU) Survey Report, only 55% of electric utility professionals have systematic and prompt patching of their systems.
Your IT teams are not the only ones responsible for cybersecurity. Everyone needs to be trained on common attacks and vulnerabilities, reminded to update and secure their devices, and briefed on trends in cybercrime.
Bricata, a cybersecurity company, recommends that marketing teams collaborate with cybersecurity experts to nurture a culture of cybersecurity in an organization.
Additionally, utilities need to develop efficient incident response plans, share best practices throughout their network, and encourage transparency by reporting attacks to the government.
You may even organize cyber “war games” to test your protocols.
Implement cyber hygiene best practices
As you foster a culture of cybersecurity, you should also adopt common protections:
Anti-malware software: Scans your devices, detects threats, and removes malicious software
Security Information and Event Management (SIEM): Protects against malicious software and also monitors activity and access across your networks
Firewall: A digital barrier between internal systems and the outside world that scans, evaluates, and filters incoming traffic
Trust Zones: Additional firewalls developed within your internal network to protect sensitive information requiring additional security
Data Encryption: Encrypt data on your devices along with communication between devices: especially relevant for smart grids, smart meters, and other IoT
Multi-Factor Authentication: Requires employees to provide more evidence than a password when entering a network or system
You may choose to hire a cybersecurity company or consultant as well. Increasingly, big data and AI are also used to monitor networks. If you’ve already adopted these best practices, then begin implementing a coherent Zero Trust strategy that assumes you’ve already been breached and mitigates internal threats.
Invest in both digital and physical security
57% of electric utility professionals report higher spending on digital operations and security. With digital transformation, it’s surprising that number isn’t higher.
Implementing best practices and fostering a culture of cybersecurity has a price tag, of course - but as hackers scour your IT/OT networks for vulnerabilities, you’ll also need to expand your cybersecurity team and invest in physical security.
Expanding your cybersecurity team
In terms of updating the grid, we already know that hiring millennials into the utilities workforce is important. However, investing in young talent and increasing staffing is relevant to boosting cybersecurity as well.
Many utilities don’t have the talent or the numbers to rival the expertise of cybercriminals. Hiring a team, or at least one talented individual, to focus solely on your cyber health is an important step in the right direction.
Securing physical assets
As OT and IT converge, physical security cannot be neglected.
Solar and wind farms often have low security due to the geographic challenges in securing these expansive areas. Still, physical assets like these can provide access to a utility’s network - sometimes only a padlock stands between an attacker and the inside of a wind turbine.
In addition, there are many customer-facing assets, like charging stations or smart meters, that need to be secured to prevent any tampering or network access.
Because utilities have an extensive attack surface and cybercriminals will leverage any weakness, protection for both digital and physical assets must be increased.
Promote clear communication and clarify leadership
Often, cyber vulnerabilities stem from a lack of communication and leadership. With so many sites, networks, teams, and assets - this can be especially true for critical infrastructure providers.
According to McKinsey & Company, it’s common for information silos - a lack of communication and collaboration between teams - to develop.
How do you avoid information silos?
- Ensure there is a centralized cybersecurity team that is recognized throughout your entire organization
- Assign a “security champion” within each unit who will communicate and coordinate with the centralized team
- Create protocols that everyone will follow, consistent across OT and IT networks
- Grant your cybersecurity team the power to make decisions and allocate an appropriate budget
- Regularly brief your executives, board, and managers on cybersecurity trends, vulnerabilities, and priorities
Audit devices, assets, and other network components
In the report by Siemens and the Ponemon Institute, utility professionals rated their companies’ ability to track all of their digital assets as “particularly low.”
You can't protect what you don't know about, so it's important to audit all the devices within your network:
- Personal devices (Bring Your Own Device)
- Multiple networks and sites
- Mobile devices
- Third party services
- Smart tech and IoT (Internet of Things)
- Other diverse software and hardware
Even software has many individual components, each of which may be vulnerable.
Following the Colonial Pipeline and SolarWinds attacks, President Joe Biden signed an executive order to help address this risk in our critical infrastructure. This order requires software companies to provide greater transparency into their software’s internal organs through a Software Bills of Materials (SBoMs).
While a great step forward, SBoMs address a single vulnerability: software procurement. Full visibility into your organization is important, and an in-depth audit of physical and digital assets is essential.
Carefully review your organization’s vulnerabilities before a cybercriminal does.
Conclusion: When life is on the line
According to former Cisco CEO John Chambers, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”
As critical infrastructure providers enter the 21st century, cybersecurity should be front and center.
The financial cost of a hack is clear. In the case of Colonial Pipeline, they paid the cybercriminals around $4.4 million to restore their systems. But attacks on critical infrastructure may have more devastating consequences.
In September 2020, a woman died because a ransomware attack on a local hospital in Germany delayed her treatment--the first death directly linked to a cyberattack.
Though cybersecurity may require a significant shift in culture and resources, attacks on critical infrastructure are inevitable--and utilities can own the solution.
Want more insight into critical infrastructure? Subscribe to our blog and newsletter.