Cyber attacks on critical infrastructure can target technologies, processes, networks, services, systems, and facilities essential to public safety, health, and economic activities. Governments also rely on critical infrastructure to render effective services. As a result, disruptions of critical infrastructure due to cyber-attacks can cause grave consequences.
Despite this, a new study revealed that 83% of organizations that manage critical infrastructure suffered a cyberattack in 2021. However, the research also found that 73% of CISOs and CIOs expressed high confidence that their organizations will not be victims of operational technology breaches in the coming years. However, such a false sense of security is misguided since attacks are about when rather than if.
In addition, additional research found a pervasive lack of awareness and knowledge regarding cyberattacks on critical infrastructure. The study, which involved more than 2,000 participants across the United States, revealed that end-users are less concerned with attacks that target critical infrastructure and operational technologies.
While devastating ransomware attacks and other malware attacks on critical infrastructure continue to make headlines globally, most respondents lacked awareness of how attacks on critical infrastructure can impact nations, businesses, and consumers. For example, 21% of individuals have not heard of the ransomware attack on the largest fuel pipeline in the United States.
Fragile Critical Infrastructure
As attackers step up their efforts towards cyber attacks on critical infrastructures, the infrastructure itself is fragile. In addition, the attacks target critical sectors like food, gas, financial, and transportation since most systems are legacy and lack the capabilities of protecting against modern attacks. In light of this, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert – Alert (AA21-287A) Ongoing Cyber Threats to US Water and Wastewater Systems on Oct 14, 2021.
The joint advisory by the FB, National Security Agency (NSA), and the FBI highlights the increasing malicious cyber activities perpetrated by known and unknown harmful actors targeting the operational technology and information technology of US Water devices, networks, and systems Wastewater Systems facilities.
It is essential to note that the advisory draws attention to the fragility of most critical infrastructure sectors in the US and globally. In particular, the alert warns of increasing malicious cyber events, including ransomware attacks, spear-phishing incidents, exploits targeting internet-facing services, and exploitation of outdated software and operating systems. Such cyber threats may result in severe impacts on the transportation, electric, or water sectors.
The pressing urgency to address threats of cyber attacks on critical infrastructure cannot be underscored. Nevertheless, a multitude of challenges hinders the efforts channeled towards elevating the cybersecurity posture of critical infrastructures. One of the primary challenges is the complex nature of critical infrastructure systems. Most essential systems are extremely complex due to the increased use of connections and devices added to the systems.
In addition, most of the current critical infrastructure systems consist of a mixture of legacy, outdated, and insecure systems. However, there is also a significant integration of legacy systems with new technologies to leverage automation and advanced analytics capabilities. While newer technologies comprise promising cybersecurity features, the combined use with legacy systems exposes them to attacks.
Cyber Attacks on Critical Infrastructure are More Common
A ransomware group, BlackMatter, believed to have close ties with the infamous DarkSide ransomware gang, took out the online networks of farmers cooperative calked NEW Cooperative. The incident caused enabled the ransomware group to encrypt and lock the cooperative’s data, sensitive information, and systems and demanded a $5.9 million ransom to provide a decryption key. The Iowa-based cooperative has fifty locations and provides farmers with diverse software and digital services. As a mitigation measure, the cooperative took down its systems offline, impacting hundreds of farmers.
The ransomware attack comes on the heels of a similar ransomware attack on Japanese tech giant Olympus, still attributed to BlackMatter. According to security experts, BlackMatter operates ransomware as a service affiliate program, similar to DarkSide. DarkSide is blamed for the ransomware attack on the Colonial Pipeline that caused widespread outage and disruption of the fuel industry across North America. The attack, among others, prompted the Biden administration to determine 16 critical infrastructure sectors within the US and warn against ransomware attacks targeting them. President Biden’s remarks were aimed at global leaders urging cooperation in protecting critical infrastructure against increasing attacks.
Also, a hacker attempted to poison a water treatment plant in the San Francisco Bay Area. The hacker used the stolen login credentials of an employee’s TeamViewer account, a platform that permits users to control computer systems remotely. After using the username and password to log in, the attacker deleted various programs that treat and clean water at the plant. The incident was later discovered the following day, but luckily, it did not cause any fatalities or illness.
Besides, the operational technologies that interconnect industrial control systems to facilitate the management of critical infrastructures have become prime targets for cyber adversaries. Specifically, as services such as water supply and water treatment plants, power grid systems, healthcare systems, and transportation systems rapidly integrate operational technologies with the Internet of Things (IoT), they are creating new cyber risk frontiers. In addition, the integration of legacy systems with vulnerable IoT technologies introduces millions of unknown attack vectors and vulnerability points.
Recent attacks targeting critical infrastructures have huge adverse implications on businesses, cities, communities, and countries. Some of the repercussions can be dire. For example, hackers targeted an Israeli water treatment facility through exposed IoT systems, enabling the attackers to change water temperature, pressure, and chlorine levels. Had such an attack succeeded, the hackers would have been able to poison entire communities or trigger a failsafe, causing acute water shortage.
Ransomware Attacks Targeting Critical Infrastructure Industries
1. Colonial Pipeline
The 2021 Colonial Pipeline ransomware incident received widespread news and media coverage. The attack made a global impact since it is an essential part of the US critical national infrastructure systems. The ransomware incident disrupted fuel and gas supply across the United States, causing panic and chaos. The gasoline shortage directly impacts most Americans, and the attack, therefore, potentially affected most users.
The DarkSide ransomware gang was responsible for the Colonial Pipeline hack. The hack targeted the organization’s internal corporate networks and billing systems, causing fuel and gas shortages across multiple states. Although the company initially tried to contain the attack, it resorted to parting with the demanded ransom of $4.4 million to prevent further disruption.
The Colonial pipeline was especially devastating since it caused most consumers to panic and ignore safety measures. Some of the affected residents attempted to carry gasoline in flammable bins and plastic bags, endangering the lives of others. Once the chaos receded, investigations revealed that Colonial Pipeline failed to observe cybersecurity best practices and some of the implemented measures were incapable of protecting against the attack.
2. JBS Foods
JBS Foods is one of the largest meat processing companies in the world. The organization was also the victim of a high-profile ransomware attack incidence. REvil, a Russian-based hacker group, was responsible for the devastating attack. Although the attack did not result in a major food shortage, there were fears of a meat shortage, causing the federal government to urge consumers not to panic.
The ransomware incident case JBS Foods to halt production operations as the company attempted to respond and contain the attack. However, JBS made a ransomware payment amounting to $11 million after consultations with cybersecurity professionals to regain control of the affected systems. The JBS ransomware payment remains to be one of the most significant payments done to a ransomware group.
What is Being Done to Protect against Cyber Attacks on Critical Infrastructure?
Most of the critical infrastructure deployments are privately-owned and require the private and public sectors to coordinate efforts to protect against IoT threats, ransomware attacks, spear-phishing attacks, and malware incidents. In this regard, addressing gaps in critical infrastructure security standards and protocols require industry leaders and governments to initiate cybersecurity policies for legacy and modern critical IT and OT systems.
For example, the European Union Agency for Cybersecurity (ENISA) published cybersecurity guidelines and standards for IoT supply chains in 2020. Introducing standardized cybersecurity guidelines for operational technologies and critical assets can ensure the private companies operating critical infrastructures achieve a recommended cybersecurity preparedness. Also, ENISA is now developing specific cybersecurity standards for critical infrastructure industries and operational technology operators.
At the same time, the National Institute for Standards and Technologies (NIST) developed the IoT Cyber Security Improvement Act was enforced to ensure the public sector in the US extends robust protection and security capabilities in all IoT deployments.
Best Practices for Protecting Against Cyber Attacks on Critical Infrastructure
Governments and policymakers must signal the willingness to deter cybercrime with sophisticated and persistent cyber adversaries launching complex and increasingly ambitious attacks on various critical infrastructures. Since hostile adversaries enjoy the protection of rogue nations, it is in the interest of the US and other countries to project stability and power in cyberspace.
Federal government agencies, including the Department of Homeland Security, requires robust capabilities to demonstrate commitment to deterring debilitating and significant threats against the critical national infrastructure. In addition, the US and other international governments need to create policies for punishing guilty actors within the limits of international law.
Furthermore, the interconnectivity of the US critical infrastructure and the risks of adverse outcomes impacting private entities operating critical systems require strengthening of the weakest links. SMEs cannot implement the same security resources as those installed in multinational organizations due to limited resources, thus creating blind spots. The interconnected nature of the various critical infrastructures implies that exposed attack surfaces present systemic security threats. Therefore, the US government and institutions in the private sector must enforce policies that bolster the security of interconnected critical infrastructures.
More importantly, the US government requires to put more effort into protecting against cyber attacks on critical infrastructure across all industries. The government’s obligation and role in rebuilding and enhancing security for critical infrastructure compromised in a cyber-attack must be documented clearly and improved where necessary. All government agencies must anticipate a severe attack on critical infrastructure and be ready to mitigate arising dangers to the financial sector.
Some solutions can enable an organization to manage critical infrastructure to reduce cybersecurity risks and realize hardened security. To minimize risks, organizations should strictly conform to the guidelines included in available frameworks and regulations. For example, the NIST Cybersecurity Framework (NIST CSF) outlines an organization’s policies and procedures to identify and manage risks. The framework recommends a five-step model that detects, identifies, protects, responds, and recovering.