Cyber Attacks on Critical Infrastructure
03.10.2022
Back to blog listCyber Attacks on Critical Infrastructure
Rising number of cyber attacks on the energy sector and other critical infrastructure
When it comes to the networks and systems that are essential for generating and delivering energy to homes and businesses alike, it is not without reason that we speak of critical national infrastructure (CNI). Our society cannot function without these critical systems. If these systems are negatively impacted, for example, by various cyber attacks on this infrastructure, the consequences are far-reaching, potentially leading to economic instability on a global scale and, not least, putting human lives at risk.
According to reports from the UK's National Cyber Security Centre (NCSC), the US Department of Homeland Security (DHS), and other government agencies around the world, the number of cyber threats and attacks in this area has increased significantly in recent months. Critical infrastructure is both critical and vulnerable to attacks. And that is precisely why processes and operations are subject to a wide variety of cyber attacks – whether geopolitically or economically motivated, malicious or a combination of all three.
A successful attack on critical systems that control physical and technical processes may affect the functionality of the entire facility and infrastructure. The resulting downtime has a devastating economic impact. An attack that directly targets safety equipment or processes potentially causes environmental damage or endangers human lives.
So it is important to identify the attack routes that are likely to be used. Given the potential impact, there is no alternative to combatting cyber attacks.
Security for critical infrastructure remains a challenge
Energy markets are highly competitive and particularly volatile. As such, producers and utilities are striving to differentiate themselves from their competitors while, if possible, reducing their ongoing costs. This includes improving the conversion of raw materials into energy carriers, making the refining process and further processing more efficient, developing optimal storage technologies to increase storage capacities, finding better transportation options and reducing emissions. The technologies needed to achieve this play a crucial role for the energy industry.
However, many facilities and systems in this infrastructure date back to the pre-Internet era, and they were designed on the principle of physical proximity. In the meantime, the way they work has changed considerably. Today, these historically grown systems are connected to IT networks or to the outside world to control and monitor processes. This connectivity of networks clearly has its advantages. Costs are reduced, operational efficiency increases, employee health is protected, and it is possible to create interoperability between existing and new systems. Every change on the operational side is thoroughly scrutinized - but cyber security tends to play a secondary role. This has consequences for the whole infrastructure. Every newly opened connection acts as a possible entry point into the network, a hidden path or even a mechanism to manipulate automated physical systems. An open door for cyber attacks. 
Specific attack vectors against critical infrastructure
Cyberattacks have primarily targeted end users and businesses, such as banks, credit bureaus and retailers. Data siphoning and rapid monetization are the two main goals of the actors. However, recent events confirm that both the targets and intentions are changing.
We are increasingly seeing attacks on networks in energy and distribution systems, utilities, petrochemical plants, and other critical infrastructure operators. In these scenarios of cyber attacks, the goal is not to steal data, but to disrupt processes and indirectly create instability. Successful cyber attacks and malware variants have been developed specifically for attacks against the critical infrastructures in question.
They all show that the threats and attacks have long since become not only technically possible, but real. Attackers are actively trying to gain a foothold and "crack" these sensitive networks. Black-hat activists and hackers on behalf of the state use freely accessible data and information to gain the most precise technical knowledge possible about the intended target. On this basis, a tailored attack is launched with the aim of manipulating or destroying physical systems and critical infrastructure.
One recent malware specifically targets and attacks a certain type of industrial system, known as a Safety Instrumented System (SIS). In the oil and gas industry, SISs are used to detect dangerous events and then take action to restore a process to a safe state. The "Triton" malware was developed specifically for Triconex SIS and has the potential to negatively impact industrial critical control systems in three different ways. With increasing severity for the critical infrastructure.
False positives in the SIS - causing the SIS to trigger the shutdown of a plant or distributed control system (DCS) for no reason.
SIS failure - the SIS does not function properly and no longer detects critical conditions during operation. In an emergency, the SIS does not function.
SIS shutdown and DCS manipulation - causes SIS failure. Combined with the Triton malware's ability to manipulate the controller within the DCS to put the system into an unsafe state. One of the most serious consequences of a successful Triton attack.
One can confidently go so far as to consider the Triton attack a wake-up call for the industry. Just by getting hands-on experience in an attack, hackers figure out very quickly what works and how. And they learn from their mistakes. True, the consequences of this malware attack are still manageable. But the next attack will probably have far more devastating consequences. We are currently at a point where many critical infrastructure operators have realized that security measures have not kept pace with increasing connectivity by a long shot. A finding that urgently needs to change.
Every newly opened connection acts as a possible entry point into the network, a hidden path or even a mechanism to manipulate automated physical systems. We are currently at a point where many critical infrastructure operators have realized that security measures have not kept pace by a long shot with increasing connectivity. A finding that urgently needs to change.
Security and protection from cyber attacks for critical infrastructure: best practices
While the energy industry has caught up in cybersecurity, there is another area worth taking a closer look at. That's because more and more industrial components and processes are digitally connected. In an era of escalating threats and cyber crime, companies operating in critical infrastructure are striving to balance security requirements with productivity. Which is critical, but not always easy.
Unfortunately, outside attackers and targeted cyber attacks are not the only risk. As in any other IT environment, security vulnerabilities arise in critical infrastructure due to weak passwords or even open ports. It hardly matters whether the vulnerabilities are intentional or simply caused by a mistake. Either way, they have a negative impact on productivity and the whole critical infrastructure.
Find out how we safeguard energy companies against unauthorized access and undetected operational issues.
When it comes to critical infrastructure like oil refineries, gas production facilities and transportation pipelines, reliability and job safety are paramount. Cybersecurity best practices are essential for critical infrastructure and a first step toward comprehensive risk mitigation and cyber security.
In this regard, the fundamentals of IT security are no different in critical infrastructure than the security layers in an IT network. This applies, for example, to firewalls, SNMP network management tools, SIEMs, etc.
Assume that successful attacks like intrusion into your network may occur despite deployed cyber security measures. So deploy solutions that detect cybersecurity incidents early in the relevant intrusion/attack cycle so you can respond.
Technological advances within machine learning and artificial intelligence make it possible to model and monitor even large, complex networks and critical physical processes typical of refineries, power plants and pipelines. Only this allows a complete insight into the plants to identify weak points and prevent attacks.
Then it is necessary to define values for "normal" behavior in network communications and processes. To monitor and analyze anything that deviates from this normal scale. Create an early warning system that provides immediate insights to identify and fix cybersecurity failures and quickly reestablish affected processes, if necessary. This helps engineers and plant operators identify affected devices and apply compensatory controls before operational systems are impacted.
Critical infrastructure should implement an effective patch management strategy so that published CVEs and ICS certs (bugs identified in a piece of software) have a less damaging impact and are patched before they can be weaponized and exploited.
Employees like to be the weakest link in a security policy with unintentionally caused bugs. Without continuous training on awareness and behavior, it won't work. Even the infamous Stuxnet worm, which paralyzed the control system of a nuclear power plant, entered the network through a careless employee. Via an external USB drive.
Conclusion
NCSC, DHS and government agencies around the world agree that attacks on critical infrastructure are currently a real threat. And attackers are unlikely to slow down in their attacks and efforts to develop and employ better attack methods and strategies. Cyber threats have now moved from the desktop or the server room to the plant control rooms. Attacks on power grids, for example, are creating economic instability - as we have already seen - and threatening physical security.
Utilities and grid operators, as well as operators of downstream oil, gas and petrochemical facilities and pipelines, are required to implement up-to-date security measures and consider novel approaches to implementation.
Meeting the challenge: securing energy supplies
To meet the high cybersecurity requirements, the heterogeneous system landscapes in energy technology must be protected from attacks. Increased networking and digitization require a holistic IT security concept. IT security affects not only individual automation systems, but the entire network.
How can the correct protection and configuration of important automation components against cyber attacks be achieved? To implement an IT security concept, there must be an awareness and knowledge of what communication is used and actually takes place in critical infrastructure. Appropriate monitoring can be used to evaluate network traffic between systems from a security perspective. In this way, the energy supply, which is critical infrastructure, can be configured and protected securely.
What is the best solution to monitor employees and control data channels? Find the answer.
