The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.
More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of [the country's] energy systems had been destroyed."
Growing Cybersecurity Threat
However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.
In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.
Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.
Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.
"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.
According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.
Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."
Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.
Integrated IT/OT Networks
Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.
As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.
According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.
Grid Edge Risk
For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.
A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.
One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.
According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.
"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.
One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.
Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."
However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."
The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.
Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.
—Story by Chris Price
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.