It has long been recognised that no one is safe from cyber-attacks, but some sectors face a much higher level of threat than others. Critical infrastructure sectors such as utilities, energy and industrial manufacturing are some of those that face an intense level of interest from cyber criminals and nation-state groups across the globe.
The impacts of a successful attack can have detrimental consequences, for both the cyber and physical side of the business, in terms of business disruption, economic dips and other real-life consequences.
Compromise of ICS and SCADA systems
One of the greatest risks to these critical infrastructure sectors is the compromise of ICS and SCADA systems inside operational technology environments (OT environments). Attackers can move laterally from IT networks to OT environments, with the potential to cause even greater damage or disruption.
But even those attackers, who solely focus on compromising IT environments, are still able to trigger major disruption, by disabling day-to-day processes that are involved in the production and roll-out of solutions and services.
Rise in cyber-attacks on utility and energy sector
Recent events have shown that attacks on the utility and energy sector are ramping up
Recent events have shown that attacks on the utility and energy sector are ramping up. The attack on the US Colonial Pipeline, for example, was one of the most high-profile breaches in the industry’s history, particularly when considering the secondary, physical consequences.
The decision to shut down the Colonial Pipeline, while considered necessary, triggered a wave of disruption, leading to gasoline shortages and inflated costs. This is just one example of the serious effects that a successful cyber breach can have on an organisation.
Ransomware-based attacks
Often financially motivated, one of the most common methods that cyber criminals increasingly opt for is ransomware-based attacks, as they are an effective way of blackmailing organisations into handing over valuable credentials or completing financial transactions. Once armed with the company credentials, threat actors can then post a sale of access to compromised networks on underground criminal forums.
Armed with stolen credentials and therefore, access to the network, adversaries can then move laterally across the IT systems in OT environments. The ability to travel laterally is a sign of poor network segmentation on the business side between IT and OT networks.
Malicious links in phishing emails
If files are encrypted by criminals within both environments, businesses are faced with double the amount of disruption. This can lead to companies having to shut down operations, even if just as a precaution, just like in the case of the Colonial Pipeline.
Malicious links included in phishing emails are another simple and highly effective method used by criminals to compromise company networks. While there are many security solutions that defend against common phishing attempts, criminal activity is becoming far more advanced, to the point where they are able to bypass standard security systems and gain access to the most sensitive of files.
Why critical infrastructure is targeted
Common forms of attack involve theft of personally identifiable information (PII) of customers and employees
Businesses within the utilities and energy sectors often hold data deemed highly valuable by threat actors, including both basic criminal gangs and advanced nation-state operatives. Common forms of attack involve theft of personally identifiable information (PII) of customers and employees, either for further exploitation or to sell on the dark web.
However, motivations can develop far beyond the usual common criminal. Nation-states have also taken great interest in these industries to steal competitive intelligence, in order to gain market advantages over foreign competitors. States including Russia, Iran and China, have all been suspected of targeting competitor countries in the critical infrastructure markets.
Cyber threats posed by nation-states
Aside from gaining a competitive edge, nations have also been known to engage in these cyber battles as forms of retaliation for previous attacks, or to get one-over on rivals. For example, it’s been recognised that motivations behind Iranian actions on the energy sector are due to the value of oil and gas in being central to the Iranian economy, and international efforts against their nuclear programme.
Other Iranian actors have focused their efforts on water infrastructures and attempted to compromise chlorine levels in Israeli water supplies back in 2020. The chlorine levels would have been reset to toxic levels, which could have had devastating physical consequences. On the other hand, motivations in China have revolved around competitive intelligence and intellectual property for cyber espionage. The data is subsequently used to advance economic growth in different industries.
Physical and digital disruptions
Due to the nature of these industries, in addition to companies facing business disruption and loss of customer trust, consequences could span beyond the digital side of the business. As outlined above, these attacks on utilities and other industrial organisations can result in physical damage, as well as digital disruption. Unlike other markets, utilities are directly involved in people’s lives, and any attack on a company will impact individuals through a domino effect.
The incident with an Iranian actor attempting to sabotage chlorine levels in an Israeli water supply is a prime example of this. While the attack was against the water provider itself, the consequences could have been harmful to the wider population, who rely on the water supply.
Again, the Colonial Pipeline attack had consequences that expanded beyond the targeted company. Inflated prices and fuel shortages impacted all customers at the end of the supply chain. Attacks on any critical infrastructure could cause both short and long-term physical impacts, including blackouts, disrupted energy supply, and even physical harm to individuals.
Need for a multi-layered defence solution
The best way to deal with these forms of cyber-attacks is to bring everything right back to basics
The best way to deal with these forms of cyber-attacks is to bring everything right back to basics. In most cases, criminals carry out their attacks by first gaining access to IT networks through the usual means of phishing emails and malicious links. Organisations should, therefore, ensure they have a multi-layered defence solution implemented, including advanced email security.
There are a number of features that these solutions should deploy, including spam filters to prevent malicious emails from actually making it to the inbox. Sandbox analysis is also critical for scrutinising email attachments, especially for external senders and emails containing suspicious file formats. These solutions should feature rules that block the execution of macros in Microsoft Office attachments to emails from senders outside the organisation.
Enhancing cyber security with encryption and authentication
Additional features to help prevent lateral movement through the network are also worth considering. Demilitarised zones (DMZs) are also often used to divide IT and OT networks, as part of segmentation efforts and have proven to be highly effective.
Further solutions such as encryption and authentication requirements will help restrict adversaries’ access to different areas of the network, should they be successful in breaching the defence line. Everyone should be involved in maintaining an organisation’s line of defence. Education and training are vital, as employers can arm workers with the tools to spot and remove malicious emails, should any make it through the line of defence.
Educating employees on enterprise security
Human workers are often considered the weak point in a company’s cyber security, often due to lack of understanding of the risks. Keeping employees informed and educated will prove beneficial to the security of an organisation in the long run.