In a move reminiscent of the Stuxnet attack of a decade ago, the Natanz nuclear facility in Iran was recently hit with an apparent cyberattack that caused a large-scale power failure. Iranian officials did not say who was behind the attack at the plant just south of Tehran, which they described as “sabotage” and a “terrorist act,” but Israeli public media cited intelligence sources who claimed it was the result of an Israeli cyberattack.
According to Iranian officials, the Natanz nuclear facility attack targeted an electrical substation located about 165 feet underground and damaged or destroyed thousands of centrifuges used to refine nuclear material. This alleged attack came directly on the heels of Iran unveiling and testing new uranium enrichment equipment and appears to be an escalation of the ongoing cyberwar between the two countries.
It also underscores the vulnerability of industrial control systems and the importance of protecting operational technology (OT) infrastructure as well as information technology (IT). Whether it’s electrical grids, water treatment plants (like the recent attack in Oldsmar, Florida) or nuclear facilities, critical infrastructure is increasingly under attack.
“A lot of the equipment, whether it’s water/wastewater or energy production, is older technology that we don’t have the benefit of being able to go and put back all the cybersecurity or network controls on,” said Wayne Dorris, business development manager of cybersecurity for Axis Communications. “In other words, when the code was written, there isn’t the ability to go add it to the device. It may not have the memory or processing power to do it. So a lot of times, you don’t have the ability to, from the ground up, build in the secure frameworks or networks, or even secure code development, at that time. That’s one of the reasons that these systems are always highly targeted.
“The second reason is, obviously, if I can shut down power production or water/wastewater, I have a greater effect. I’m affecting a lot more businesses.”
Another major issue, according to Dorris, is that infrastructure is typically funded by local, state and federal governments and is therefore old and outdated. That means routine maintenance, like running patches and updates, is more complicated, which can make systems vulnerable to attack.
To keep infrastructure systems safe, many are on air-gapped or parallel networks. While this can add a layer of protection, it also makes it harder to keep devices up to date.
“In the event that somebody has the ability to get to this device, they will find that the software or firmware for it is very out of date, and there are a lot of vulnerabilities to actually make use of because that piece of equipment may not have been updated for two to three years at times,” Dorris said. “They don’t get the regular update schedules that we see on devices that are connected constantly to a network or have the ability to [be] patched all the time.”
OT systems attacks are generally aimed at creating a physical impact, such as a power outage (as in Iran), water contamination (as in Florida) or system overloads. The well-known Stuxnet attack, which was uncovered in 2010 and also hit the Natanz nuclear facility, is still one of the most sophisticated malware attacks on record and damaged more than one-fifth of all nuclear centrifuges in Iran.
With attacks like these on the rise, it’s more important than ever that critical infrastructure facilities start implementing some of the best practices used to protect traditional IT in the OT space. Dorris has a suggestion of where to start.
“First would be an assessment of your patch maintenance plan,” he said. “The more you can have any of your devices on the latest revision, [the better]. As we know, it changes daily, but even though this is sometimes older equipment and may not change as much, the underlying technologies may be vulnerable.”
Dorris also recommends regular scanning to locate any vulnerabilities.
“The Common Vulnerabilities and Exposure (CVE) database from MITRE and NIST (the National Institute of Standards and Technology) comes out every day at, like, 4 a.m. But if you’re not connected to the network, you don’t know all these new vulnerabilities that have happened. Most of the network scanners use that database as their reference to say, ‘Oh, hey, we have found this manufacturer has recorded this vulnerability. Hey, you have this piece of equipment, and it uses this software. You need to run this patch, or do know that this vulnerability is there.’ Even just by scanning, and if you don’t have a patch yet, at least you can take other mitigations. You can do network whitelisting to kind of close down so that that device isn’t talking to everything else on the network that it shouldn’t be talking to.”
For more videos on cybersecurity best practices, check out our YouTube page.