- In recent times, critical infrastructure has been in the crosshairs of threat actors looking to exploit the vulnerabilities.
- Operational technology (OT) professionals can work to reduce vulnerabilities and learn how to respond when those attacks occur.
Critical infrastructures, a classification that includes utilities, industrial and manufacturing operations, and more, have faced a barrage of cyber threats in recent years, and operators are now faced with the reality that the next attack is likely just around the corner because of their vulnerabilities. From high-profile hacks like those on SolarWinds and the Colonial Pipeline to less publicized but equally worrisome breaches such as those on an Oldsmar, Florida, water treatment plant and the Metropolitan Water District of Southern California, critical infrastructures have become major targets for cyberattack.
Although these attacks have gained momentum in the last year, the threat is not new. In fact, according to a 2019 Siemens and the Ponemon Institute survey of utilities, 56% of utilities’ network operators reported at least one shutdown or operational data loss per year, and 54% expected an attack in the coming year.
Escalation of vulnerabilities, risks and attack tools
What is driving this proliferation of attacks? There are several contributing factors. One is rapid technological change, accelerated by the pandemic and now ingrained in our daily lives, that has led an increasing dependence on connected devices within critical infrastructures like smart meters, sensors, industrial controllers and other “smart” products. This trend for everything to be connected has seeped into OT devices, which include things like sensors, transmitters, controllers, smart meters, pumps and other field devices.
Utilities, governments and other critical infrastructure operators have begun connecting these operational technology (OT) devices into information technology (IT) networks to streamline monitoring and maintenance, but as they do so, they simultaneously increase the potential attack surface for malicious cyberthreats. These newly connected devices are also not particularly secure, given that many of these systems were introduced decades ago with a specific eye toward longevity. Research from Fortinet shows that a significant percentage of organizations have not extended some elements of basic security hygiene into their OT environments. As this has happened, bad actors, whether external hacker groups or organization insiders, have grown bolder and more sophisticated with their attempts at intrusion and manipulation of critical infrastructure systems.
The convergence of these increasingly complex IT and OT systems, often backed by outdated security infrastructure, systems and protocols, has created the perfect storm of cyber vulnerabilities. What’s more, the same aforementioned Fortinet research found that OT leaders actually planned on spending even less on their security budgets from 2019 to 2020. This trend has proven to be a cautionary tale in the wake of a fury of breaches that have happened in the last 18 months.
Meanwhile, according to a report by five government security agencies, cyberattackers ranging from cyber criminals to nation-state operators, are utilizing free yet powerful tools that lower the entry bar for attackers and increase risks for organizations.
The attack vectors impacting critical infrastructure
Leveraging cyberattacks for the purpose of fraud and theft is a growing concern for critical infrastructures. In some cases, these attacks directly influence the performance of the affected device for fraudulent activities. For example, cyber criminals could access a system of smart meters to alter the readings and result in altered customer utility bills. Ransomware is another fast-growing attack type. Earlier this year, hackers accessed the Colonial Pipeline company, one of the largest oil and gas pipelines in the United States, and demanded a $5 million ransom for important corporate data. Out of an abundance of caution, Colonial Pipeline was forced to cease pipeline operations, which had a major trickle-down impact on local and countrywide economies.
Vulnerabilities stemming from insiders (i.e., current or former employees in an organization) also represent a major threat to critical infrastructures. These insider attacks are typically harder to detect and prevent than external attacks. A study from the Ponemon Institute published in January 2021 found that insider cybersecurity incidents have risen 47% since 2018, and the average annual cost of an insider-caused breach also increased, up 31% to $11.5 million.
There is also the issue of weaponizing OT. A recent report from Gartner predicted that cyberattackers will soon have weaponized OT environments to successfully harm or kill humans. This concerning trend has already begun. In February, a water treatment plant in Oldsmar, Florida, was accessed by hackers. The attack only lasted a few minutes, but the hackers were able to change the level of sodium hydroxide being fed to the city — home to 15,000 people. It was changed from 100 parts per million to 11,100 parts per million, enough to cause serious harm. Although the attack was remedied before it could reach the main water supply, it was a dire warning about the consequences that not segregating IT and OT systems can bring.
Vulnerabilities cannot be eliminated, so be ready
Given the vulnerabilities of legacy OT devices, the nature of cyberattacks on these devices and the diverse sources these attacks have stemmed from, critical infrastructures and OT operators must ensure that each device they roll out or integrate onto their network is itself impermeable. But connected devices are inherently vulnerable and will be eventually breached – it’s simply a matter of when.
Original content can be found at Nanolock.