Successful cyberattacks against critical infrastructure have been steadily increasing in frequency and complexity over the past 10 years. The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that a total of 295 cybersecurity incidents involving critical infrastructure occurred in fiscal year 2015, compared to 245 the previous year. In a recent Trend Micro report on critical infrastructure, more than 575 public and private owner-operators from 20 countries were surveyed, and the results were eye-opening. Fifty-three percent said critical infrastructure cyberattacks have increased over the previous year, and 76% said they had grown in sophistication. Even more telling, 44% said they were victims of malicious “delete and destroy” attacks.
Cyberattacks and the Risk to Infrastructure
Alarm bells should be ringing about the risks posed by cyberattackers who are penetrating physical infrastructure with greater frequency. While espionage and theft are the most common objectives of cyberintrusions, Ukraine’s example demonstrates that state and non-state actors can penetrate even the most sensitive and secure command and control structures, simply to create havoc and cause disruption to a nation’s ability to operate. Check out more on cyberrisk to physical operations and critical infrastructure.
As businesses across all industries turn to highly networked and outsourced supply chain models to deliver information, products or services, the “attack surface”—which translates to potential vulnerabilities—expands dramatically. Both physical and information-based supply chains are interdependent, with inherent complexities that traditional supply chain risk management strategies often fall short of addressing.
These attacks, and many more, compromise both IT networks and operational technology (OT) systems. While a vulnerability in an OT system is rare and might not affect the IT network, the opposite is not true. With increasingly common IT network vulnerabilities, OT systems become significantly more exposed.
As if these attacks were not enough, critical infrastructure now faces the growing threat of crypto-ransomware—a family of malware designed to encrypt files on servers and endpoints to extort money from consumers and enterprises. Although quite different in its approach, advanced threat actors could potentially tailor and utilize ransomware to target industrial control system networks or human machine interface (HMI) software and data to cause disruptions. There have already been a number of high-profile ransomware attacks against critical infrastructure companies, including Israel’s Electricity Authority, Lansing, Michigan’s Board of Water and Light, and various hospitals and universities.
Critical infrastructure vulnerabilities are not limited solely to security architecture. Critical infrastructure does not operate in a silo; rather, it is highly dependent on the system and can serve as an access point for island-hopping within the network or to other networks. The most sensitive “lifeline systems,” such as transportation, communication, water and energy, are especially susceptible. Taken individually or in aggregate, all of these systems are intimately linked. Electric power networks, for example, are responsible for power generation, transmission and distribution. A successful attack could lead to widespread power outages that would disrupt public safety and emergency communications networks, and critically impact the public’s supply of potable water.
Interdependent and complex systems are the enemy of all risk managers. Only by addressing both can risk truly be reduced while ensuring resiliency. The threat of destructive attacks in the current rapidly evolving cyberthreat landscape requires comprehensive resilience and redundancies across networks. Resiliency depends on the ability to identify threats and vulnerabilities in real time, protect vulnerable infrastructure, quickly detect targeted attacks, and respond swiftly to contain damage to recover and restore operations.
Individuals working with critical infrastructure must maintain and routinely test comprehensive business continuity plans and procedures. The following recommendations can help reduce the risk of destructive attacks:
- Segregate corporate and industrial control system networks to reduce the possibility of island-hopping.
- Reduce and protect privileged users to detect and prevent lateral movement.
- Employ application whitelisting and file-integrity monitoring to prevent execution by malicious codes.
- Reduce attack surface by limiting workstation-to-workstation communication.
- Deploy robust network safety measures, including encryption, layers of firewalls, breach detection and code analyses.
- Monitor who logs onto networks on site and remotely.
- Implement password protection mitigations.
- Deploy anti-malware reputation services to augment traditional, signature-based antivirus software.
- Run host intrusion prevention systems.
- Quickly shield and patch known operating system and software vulnerabilities.