Written by David Adams
The facilities and systems that keep the country running are vulnerable to more risks today than ever before. The added element of cyber risk makes the landscape even more perilous. David Adams scans the CNI risks horizon
Continuity risks capable of damaging or destroying elements of critical national infrastructure (CNI) could have disastrous implications for millions of people. Of course, within many – hopefully most – of these organisations, from utilities or transport networks to government, or major financial companies, retailers and manufacturers, continuity planning is advanced and resourced. But new risks to these organisations, associated with both indiscriminate and targeted cyber attacks, are evolving rapidly.
Research into this subject keeps generating alarming news. Almost 70 per cent of 599 critical infrastructure organisations across the globe suffered at least one security breach resulting in the loss of confidential information or disruption of operations in the year up to mid-2014, according to research from Unisys and the Ponemon Institute.
Of particular concern are industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and manage infrastructure plant and facilities, including, for example, power stations or water treatment plants. It was this type of technology that was the target of the most famous cyber attack on national infrastructure: the Stuxnet worm, which damaged uranium enrichment equipment in Iran during 2010 (and went on to infect many more organisations worldwide). In 2014 the first cyber attack since Stuxnet that resulted in physical destruction of infrastructure took place: an attack on a German steelworks that caused significant damage to a blast furnace.
Other recent attacks have resulted in the publishing online of confidential plans and information about CNI facilities, as when detailed plans of nuclear power equipment in South Korea were leaked. In late 2014 cybersecurity firm Cylance reported on efforts made by a group of Iranian hackers to obtain information about CNI, including oil and gas companies and transport networks in the US, the Middle East, northern Europe and elsewhere. Cylance dubbed this campaign Operation Cleaver. It revealed that Cleaver had obtained information from more than 50 different targets during the previous two years. Although a variety of methods were used to gain access to networks Cleaver generally used conventional SQL injection and spear phishing techniques to implant malware on networks, from where attackers moved through networks to extract data. This demonstrates how vulnerable even these nationally important institutions can be to fairly unsophisticated attacks. That same year, another piece of malware, Black Energy, targeted energy generation plants including nuclear power stations, oil pipelines and other CNI facilities in the US. It appears to have been created by a group of Russian hackers.
Those in charge of CNI have long been concerned about the potential for attacks. Simon Goldsmith, cyber director at BAE Systems Applied Intelligence, says that what’s different today is that technologies mean costs and risks for threat actors are much lower. At the same time, ICS, SCADA and other systems that control CNI facilities are now more likely to be connected to the internet.
Many ICS/SCADA systems are also built using off the shelf technologies that are fairly easy for attackers to manipulate. These technologies are also likely to have been in place for longer than have most corporate systems, in part because of the practical obstacles to frequent upgrades. Some may have been in operation for 20 or more years and may be linked with pre-internet communications technology; or internet connectivity may have been added at a later date, perhaps via wireless communications. Systems may also be at risk if security patches – software updates – are not up to date, because of administrative or logistical delays, or because they are based on technically obsolete platforms no longer supported by the original vendor.
Richard Piggin, capability manager at Atkins, thinks many CNI organisations and even some parts of the continuity industry took too long to understand the implications of Stuxnet – about how many vulnerable ICS or SCADA systems existed within CNI, how vulnerable they might be to these types of attacks; and the extent to which information about them was being shared by threat actors.
Goldsmith divides those attackers into three groups: cyber criminals trying to make money, cyber ‘hactivists’; and attackers conducting espionage and/or sabotage. The latter group are most likely to have access to the greatest technical and financial resources, possibly with the backing of a state government, but all three could have a significant impact on a targeted organisation.
Neither Goldsmith nor Piggin take much comfort from the fact that to date cyber attacks on CNI systems appear to have been designed to extract data, rather than cause damage: they may simply be gathering intelligence for a more damaging attack to follow at a later stage. In 2014 security company F-Secure discovered a type of malware, a variant of the Havex Remote Access Trojan (RAT), which had been adapted for the specific purpose of intelligence gathering from ICS and identifying servers that managed communications between different ICS and SCADA systems. It has been suggested that this and other RAT variants may have links with the Russian government.
Traditional risks remain
There are physical risks to consider too – some of which can easily be overlooked. Colin Allen, principal of AITCo Consulting, advises organisations of all kinds on the elimination or mitigation of risks associated with glass buildings. Correctly fitted fire and blast-proofed glass can protect companies against theft – he has come across examples of thieves detaching large sheets of glass from financial companies’ buildings then walking in to steal IT equipment – and fire, which can otherwise pass from one building to the next by blasting through windows.
Nonetheless, cyber security is attracting the most attention and is now high on the agenda for many CNI organisations. Tom Patterson, vice-president and general manager at Unisys Security, believes the energy sector is leading the way in terms of addressing this issue. Other heavily regulated industries, particularly financial services, have also made impressive advances.
But Goldsmith believes there is room for improvement in terms of raising awareness of these issues in the boardroom, then translating this into practical activity. In particular, he would like to see more resources put into effective staff awareness and training. Patterson also believes too many organisations still suffer from a lack of coordination between teams tasked with cyber and physical security.
Improving the way an organisation addresses these issues should also incorporate a rethink on shooting the messenger, says Allen, even if the messenger is actually owning up to their own mistakes. Apportioning blame serves no purpose other than to encourage people to hide things, he maintains: it is more important to discover the causes of an incident.
National governments also have a crucial role to play. The US federal government recently issued a new revision to its guide to ICS security; while the UK’s Centre for the Protection of National Infrastructure (CPNI) continues to update advice and guidance for affected organisations. Patterson is encouraged by the extent to which the UK government facilitates cooperation with and between itself and private sector organisations, via initiatives including the Cyber-Security Information Sharing Partnership (CISP) and the work of the CPNI.
But, bearing in mind the scale of the – possibly unstoppable, possibly undetectable – cyber threat, should we be bracing ourselves for a major, possibly catastrophic CNI continuity incident in the near future?
“Critical infrastructure is vulnerable,” says Patterson. “There are a lot of people who want to attack it, for a variety of reasons. Critical infrastructure will continue to be attacked and the big one may come one day, maybe because one organisation didn’t take the issue seriously enough.”
“It’s certainly true that we’re noticing an increasing amount of capability among threat actors,” agrees Goldsmith. “The velocity and destructiveness of threats is increasing. That does suggest there could be something nasty on the horizon.” Whether or not that comes to pass, it is clear that CNI faces unprecedented dangers and that while world peace, harmony and economic equality remain elusive, work to protect it must continue.
This article was published in the July 2015 issue of CIR Magazine.
Download in PDF format
Click here for more interviews and analysis
Contact the editor