Why Attacks on Critical Infrastructure are Increasing and How to Protect Against Them
William Grove August 5, 2020
The rise in attacks on critical infrastructure was highlighted in the recently-released 2020 Vulnerability and Threat Trends Mid-Year Report. Spurred on by the COVID-19 crisis, threat actors are jumping on the opportunity afforded by chaos and are making their presence felt with several high-profile attempts to disrupt the international race for a vaccine. These attacks are happening against a backdrop of hostile nation-state attacks on civilian infrastructure, revealing a big picture view of increasingly emboldened attackers changing the state of play. The cyber threats facing our national, and otherwise critical, infrastructures are very real – and more needs to be done to ensure that they are protected.
Are We Seeing the End of Stealth-Mode Cyberwarfare?
Notable among the nation–state attacks on critical infrastructure was a cyberwar fought between Israel and Iran. The battle began with a cyberattack on Israeli water facilities on the last weekend of April 2020. Although the Israeli Water Authority shared a week later that the attack only affected a “few farmers”, the potential damage to several of its water plants served as an unnerving reminder about the present nature of nation-state threats.
In response, Israeli forces retaliated with an attack that caused one of Iran’s busiest seaports to come to an abrupt halt on May 9, 2020. According to a report in The Washington Post, satellite photos from that day show miles-long traffic jams on highways leading to the Shahid Rajaee port. A photo dated three days later showed dozens of ships, loaded with containers, just off the coast waiting for berth.
Speaking in a pre-recorded message at a professional conference, the head of Israel’s National Cyber Security Authority said that the attack on water facilities could have caused a “humanitarian disaster” had it not been thwarted. He also admitted that the attack was well organized and was aiming at disrupting the water supply or poisoning drinking water by changing the rate of added chemicals like chlorine.
On the Iranian side, ISNA, a state-controlled news agency, quoted the head of ICT of its Ports and Maritime Organization, who acknowledged an attack. However, the Iranian official pointed out that its impact was limited and said, “it is not certain that the attack is of foreign origin”.
In another unusual step, the Israeli Chief of Staff Aviv Kochavi made a public speech on May 19th that all but acknowledged Israel’s involvement in recent events in Shahid Rajaee port. “Dozens of attacks, some of them very recent, had proved Israel’s superior intelligence and firepower capabilities.”
Normally, even if a state-sponsored cyber-attack results in visible consequences, neither the victim nor the attacker acknowledges the attack. But this unusually public cyber fight between Iran and Israel brings a war fought largely in secret into a new, more open phase, where new rules of engagement and deterrence are in the process of being established.
Threat Actors Are Trying to Disrupt the Race to a Vaccine
Further afield, the pandemic has also emboldened criminals to disrupt pharmaceutical firms and health care companies. The need for these organizations to maintain operations has increased their threat profile: criminals have already successfully extorted $1.14m from the University of California San Francisco’s medical research institution, forced the Brno University Hospital to shut down its entire IT network and hit ExecuPharm with a ransomware attack in March. While ExecuPharm is not playing a central role in the development of COVID–19 vaccines or treatment, the other two are, and targeting any part of the medical infrastructure at this time threatens the health and well–being of the entire general public.
Recently, US, UK and Canadian security officials pinned a number of these attacks, and several similar to them, on Russian hacking group APT29, otherwise known as “the Dukes” or “Cozy Bear.” Unlike the Israeli and Iranian officials’ cloaked openness about their recent cyberattacks, a representative from the Kremlin stated that Russia has “nothing to do” with the hacks, despite the joint US, UK and Canadian release stating, “APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property.”
What’s clear is that we are currently operating in very murky times. At the start of the pandemic, a collective of ransomware gangs joined together to give the world a glimmer of hope by saying that they were going to cease their attacks on healthcare organizations during the crisis. Clearly, this honor amongst thieves hasn’t been universally adopted. Attacks on critical infrastructure are coming from a variety of unknown attackers and nation-state threat actors. And with heightening political tensions growing around the world, the need for greater protection of critical infrastructure that helps us all to continue living our lives could not be clearer.
Protecting Critical Infrastructure Starts by Dismantling Operational Silos
One feature common in critical infrastructure — as diverse as water treatment, transport and pharmaceuticals — is their hybrid infrastructure that contains difficult–to–protect OT devices. To stave off increased threats, critical infrastructure entities need to develop holistic cybersecurity management strategies that cover the entirety of their estate. The reality, currently, is that most organizations are still a long way from being able to achieve this. IT and OT professionals have very different skillsets, work in different environments and are known to operate within rigid silos, making a hybrid security program a major challenge.
Dismantling these silos needs to happen through iterative change. The teams charged with operating and developing OT devices need to develop foundational knowledge that can be used to protect these notoriously difficult–to–patch network areas. Considering their training in electrical engineering, it is only natural that they may have an aversion to implementing IT–derived cybersecurity measures. Further, they may lack full awareness of the risks that exist within the internet–connected devices and third–party networks that are becoming increasingly interlinked with their OT devices.
It is only when these silos have been eliminated that processes critical to the success of hybrid security management – including the ability to model all data within the expansive environment, gain visibility over all vulnerabilities and assets, and limiting the size of the attack surface – will become possible. Attackers’ are already making their presence felt within mission-critical areas: more needs to be done to stop their trail of disruption.