This year started off with a bang, with critical infrastructure attacks — both physical and cyber — at an all-time high. The Cybersecurity and Infrastructure Security Agency (CISA) released 12 industrial control system (ICS) advisories warning of critical security flaws, while the hacker group GhostSec, aka Anonymous Operations, claimed to have used ransomware in encrypting an industrial remote terminal unit of the type relied on by critical infrastructure.
Critical Infrastructure Becoming Favorite Attacker Target
Operational technology in critical infrastructure is the new favorite target for attackers. Why?
- Critical infrastructure attacks result in widespread impacts. Every second of downtime at energy suppliers, utilities, and hospitals around the world can leave communities stranded and even cost lives, forcing parties to respond quickly. Shutting down train service or a gas pipeline has enormous, highly visible consequences, including significant threats of financial harm and risk to human safety.
- These attacks draw international attention. The sensitivity and value of industrial targets makes for a more compelling news story than hitting a corporate target's IT network. This is why adversaries such as GhostSec prioritize developing and publicizing their operational technology (OT) attack capabilities.
- Critical infrastructure attacks also increase the success of a ransomware payout. There's an increasing need to interconnect OT networks and assets safely with IT and cloud assets to support new business initiatives (e.g., supporting today's distributed workforce via remote access), and there's a glaring lack of effective mechanisms for providing it securely, which is causing the OT attack surface to balloon. Enter attackers with sophisticated ransomware techniques at the ready.
- Successful attackers can and do sell their tools and tactics to adversarial governments. For instance, disruption to Western energy suppliers can benefit an adversarial regime such as Russia's when those attacks increase European dependency on Russian energy supplies.
DoJ Disrupts Ransomware Group Attacking Critical Infrastructure
In the fight against ransomware, the Department of Justice (DoJ) has made progress. According to a Jan. 26 press release, the department launched a "months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."
This announcement is a win for the DoJ, but we also need to be realistic. Adversaries are smart, and this win is bound to be short-lived. There is a lesson here for anyone responsible for securing critical infrastructure.
Protecting Critical Infrastructure Requires a New Mindset
Massive digital transformations happening in industrial segments (like energy, manufacturing, and utilities) require a new perspective to cybersecurity — this will become central not only to effective operations but to keeping society safe in 2023. In order to protect the world's energy infrastructure amid rising geopolitical tensions, shifting market dynamics, and fast digital transformation efforts — and all in the face of highly motivated adversaries — it's no longer enough to know you've been hacked. Preventative cybersecurity is a must, especially when it comes to safeguarding our world's scarcest resources.
If we don't shift our mindset and find ways to not only detect adversaries but also block them from being able to inflict harm, we'll continue to see these ransomware attacks succeed. They're always one step ahead and bound to already be searching for new ways to break through and impact our day-to-day lives in order to achieve their goals.
It's time for critical infrastructure operators to tackle the challenge of securely interconnecting OT assets with IT and the cloud without exposing vulnerable devices to corporate or public networks. They need to support business initiatives to allow distributed workforces and vendors to access critical components that can have a physical impact on the real world, in order to provide upgrades or manage urgent issues rapidly without opening up to new attack vectors. As OT assets grow more distributed, along with the experts who build, operate, and maintain them, this challenge will only increase. Now is the time for critical infrastructure organizations to invest in modernizing their access management and data security, leveraging zero trust strategies, to stay ahead of cyberattackers.
Rigorous cyber hardening of critical operations needs to happen — immediately. The mindset must shift from not just detecting cyberattacks, but to blocking them outright. The massive uptick in attacks should serve as a wakeup call to the industry. Even the minority of attacks that are reported publicly have become too numerous to ignore. And with the latest cybersecurity innovations, preventing harm is possible, even once the threat has already infiltrated inside an operational network.