Cyberattacks on critical infrastructures such as power systems have important economic implications and risk becoming targets in conflicts between nations.
In March 2020, a survey on the global state of industrial cybersecurity found that nearly three in four IT security professionals were more worried about cyberattacks on critical infrastructure than they were of a data breach in their own organisation.
In an article published in April 2020, we also wrote in-depth about the biggest threats to cyber security in 2020, with malware and ransomware high on that list. These are both common methods of cyberattack on critical infrastructure and have been used in a series of attacks around the world including the USA, Ukraine, Japan and the UK.
All of this is consistent with the 2020 Global Risks Report from the World Economic Forum that noted the rise in cyberattacks targeting critical infrastructure such as energy, transportation and health care to name but a few.
The report went on to say that, “Public and private sectors alike are at risk of being held hostage. Organized cybercrime entities are joining forces, and their likelihood of detection and prosecution is estimated to be as low as 0.05% in the United States. Cybercrime-as-a-service is also a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.”
What is critical infrastructure?
Critical infrastructure (or critical national infrastructure (CNI) in the UK) is a term used by governments to describe assets that are essential for the functioning of a society and economy – the infrastructure.
According to the Cybersecurity and Infrastructure Agency – an official arm of the United States Government – there are 16 critical infrastructure sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Whilst this is specific to the US, many countries around the world hold the same or similar sectors as critical to the overall infrastructure of the country. These sectors include:
- Emergency Services
- Financial Services
- Government Facilities
- Information Technology
- Commercial Facilities
- Critical Manufacturing
- Defence Industrial Base
- Food and Agriculture
- Healthcare and Public Health
- Nuclear Reactors, Materials, and Waste
- Water and Wastewater
Complexity of critical infrastructure
Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.
In December 2015, the world witnessed the first known power outage caused by a malicious cyber-attack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours.
According to cyber security firm Trend Micro, the malware targeted the utility firms’ SCADA (supervisory control and data acquisition) systems and probably began with a phishing attack.
The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyber-attack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus.
You can read more about critical infrastructure cyberattacks in a report by NEC Global.
Concerns over critical infrastructure cyberattacks
The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable. Concerns over critical infrastructure cyberattacks are valid. Here are some of the growing reasons for concern:
Highly organised cybercriminals
The sophistication of cyberattacks in this day and age now demands a holistic approach to cyber security to protect oneself or an organisation from as many potential threats as possible. With perpetrators constantly searching for vulnerabilities and developing their own sophisticated techniques in doing so, it’s crucial that those that rely on technology and systems equip themselves with the best defence of these threats where they can.
Given the potentially catastrophic repercussions of a successful attack, these organised adversaries prioritise critical infrastructure targets in their cyberwarfare or cybercrime strategy. A successful attack on energy infrastructure could trigger disruptions in diverse essential systems, including health care, transportation, financial services, and food supply.
This threat has been added to by the ongoing COVID-19 pandemic. Australian Home Affairs Department secretary Mile Pezzullo believes the threat posed by sophisticated criminals and hackers acting for other nations is “deeply concerning”.
“Of all the things that keep me awake at night, and there are quite a number, that is the most pressing, immediate concern,” he told Senate estimates.
“COVID has been dreadful, COVID has been terrible given the deaths, imagine trying to do COVID without electricity.
“It’s as immediate, it is as realistic, and it is as credible a threat as that.”
We have already talked widely about the new threats caused by an ever-more-connected world.
Critical infrastructure is not immune from the threats lurking on the internet and the information technology revolution that has transformed every other aspect of modern work and life. The days when energy infrastructure was run by isolated systems on location are long gone.
Today, critical infrastructure is connected to the global digital environment. This has brought unprecedented convenience and control to infrastructure managers. However, it has also increased the number, nature, scale, and sophistication of infrastructure vulnerabilities.
The threat surface has been greatly expanded, compounded by the rise of the Internet of Things, including the push toward smart cities and smart homes.
Ability to hack physical systems by cyber-means
Every company is continuously in danger of a cyberattack on their proprietary data, websites, communication systems, customer accounts, and business networks. Critical infrastructure providers, however, must contend with the additional threat of attacks on their operational technology (OT) systems, often referred to as infrastructure control systems (ICS) or supervisor control and data acquisition (SCADA).
Cyber-attacks against critical infrastructure and manufacturing are more likely to target industrial control systems than steal data, according to the Organization of American States and Trend Micro.
Their research found that 54% of the 500 US critical infrastructure suppliers surveyed had reported attempts to control systems, while 40% had experienced attempts to shut down systems. Over half said that they had noticed an increase in attacks, while three-quarters believed that those attacks were becoming more sophisticated.
ICS/SCADA are responsible for operating physical processes like the generating, processing, and delivery of water, power, fuel, chemicals, transportation, and communication. A cyberattack on these operational technology systems may potentially damage vital equipment, disrupt essential services, threaten health and safety, and precipitate disruption to a wide range of other market sectors.
Dangers of digital innovation
The digital nature of new technologies makes them intrinsically vulnerable to cyberattacks that can take a multitude of forms—from data theft and ransomware to the overtaking of systems with potentially large-scale harmful consequences.
Operational technologies are at increased risk because cyberattacks could cause more traditional, kinetic impacts as technology is being extended into the physical world, creating a cyber-physical system. However, using “security-by-design” principles to integrate cybersecurity features into new products is still secondary to getting products quickly out into the market.
Cyberattacks on critical infrastructure have become the new normal across sectors such as energy, healthcare, and transportation. Such attacks have even affected entire cities.
In May 2021, here in New Zealand, the Waikato DHB (District Health Board) was subject to a “Zeppelin” ransomware attack that crippled the DHB system. Jeremy Jones, head of cybersecurity at IT consultancy Theta, said the Zeppelin ransomware had been around since 2019 or earlier, but the recent upgrade of the malware made it “harder to detect [and] more aggressive”.
It is expected to take weeks for the Waikato DHB to recover from the attack and resurrect nearly 700 computer servers. It is expected that the hackers are likely to threaten to dump patient information online if a ransom is not paid. The health board has already stated that it will not pay any ransom.
The IoT is also amplifying the potential cyberattack surface. It is estimated that there are already over 21 billion IoT devices worldwide, and their number will double by 2025.
Attacks on IoT devices increased by more than 300% in the first half of 2019, while in September 2019, IoTs were used to take down Wikipedia through classic distributed denial of service (DDoS) attacks, and the risk of IoT devices being used as intermediaries is expected to increase. In 2021, according to Cybersecurity Ventures, cybercrime damages might reach US$6 trillion— what would be equivalent to the GDP of the world’s third largest economy.
Cyberattacks on critical infrastructure are a very real threat and governments around the world are already sitting up and taking notice. As with all cybercrimes, it’s a battle for governments and cybersecurity experts to keep pace with the sophisticated technologies and tactics being deployed by cybercriminals. You can read more about cybersecurity in the articles below and also find out more about cybersecurity and network security solutions from NEC New Zealand.