Analysis: CBR talks to experts at Schneider Electric, Dell, ViaSat, FireEye, NTT, Bitdefender and others on the likelihood and types of attacks on power stations and transport systems
The prospect of cyber attackers successfully derailing national critical infrastructure (NCI) "is not the stuff of fiction anymore".
So says Jon Geater, CTO at cybersecurity firm Thales e-Security, who told CBR that "today, this threat is real and growing, and it is crucial that robust cyber security defences are in place to safeguard our vital services from this growing risk".
Over the last few years, several national critical infrastructure (NCI) attacks have been carried out against such facilities, shutting down power stations and affecting nuclear facilities.
The most widely spoken cyber attack against a country’s NCI was Stuxnet when in 2009 and 2010 the computer virus is rumoured to have been built by the American and Israeli governments to sabotage Iran’s nuclear power program.
The virus was used to destroy centrifuges being used for uranium enrichment. Just last year it was also reported that the US National Security Agency tried to use a Stuxnet-inspired attack against North Korea’s nuclear plants. The virus was programmed to be activated when coming across Korean-language settings on an infected machine.
In December 2015, when Russian hackers were found to have cyber-attacked the Ukrainian power grid by illegally accessing the Prykarpattyaoblenergo control centre, leaving more than 200,000 people with no electricity.
And just last month in April 2016, production at a German nuclear plant was almost halted has computer viruses infected PCs being used at the site.
RWE, the company managing the Gundremmingen plant, 120 km (75 miles) northwest of Munich, said no critical system in the nuclear reactors was affected.
The prediction is that attacks will only rise. Chris McIntosh, CEO ViaSat UK, told CBR: "We can safely say that there will be an escalation in the frequency and sophistication of cyber-attacks on critical infrastructures, and we are likely to see more of these in future.
"However, the level of impact that these attacks are able to inflict on businesses is dictated by their willingness to take any potential threats seriously and implement the necessary security."
Data centres as part of the NCI
Those in the data centre industry recognise that being the hub of the digital economy and digital infrastructure makes for critical national infrastructure.
Ultimately, the entire supply chain is directly or indirectly dependent on a data centre. Either large hubs, or a data centre at the edge, these ‘data warehouses’ are keeping transportation systems running, and ensuring power grids provide power.
David Emm, principal security researcher at Kaspersky Lab told CBR that data centres’ breaches might be even worse if the data centre breach is used by attackers as a stepping-stone to gain access to critical systems.
In the UK, communications, emergency services, energy, financial services, food, government, health, transport, water, defence, civil nuclear, space and chemicals are labelled as national critical infrastructure.
However, in 2010, the government’s Centre for the Protection of National Infrastructure (CPNI) recognised data centres also as a key NCI asset. The reason being the ever-growing dependency of the country’s economy on online services.
Data centres are usually hard to hit when it comes to cyber attacks, yet, they do happen. For example, the US’s National Security Agency (NSA) has admitted that its Utah data centre is target to 300 million hacking attempts on a daily basis. Back in 2010, attacks topped ‘only’ 25,000 to 80,000 per day.
According to Emerson Network Power, between 2010 and 2016, there has been a 1,000% increase in cyber crime as a cause of data centre outages. Cyber crime now accounts for 22% of data centre outages (2010: 2%).
ViaSat‘s McIntosh said that traditionally, protecting critical infrastructure has meant physically protecting it. "Attackers are now targeting more vulnerable substations that provide access points for malicious infiltration as an easy route onto the power network," he told CBR.
"Furthermore, this has been amplified through the use of smart meters connected to grids over the internet creating even more points of entry. The end result is essentially a spider’s web with every strand a viable point of entry."
The threat landscape has never been so huge
With the number of incidents across the world on the rise, data centre operators have reasons to be concerned about how to secure sites in a time when cyberattacks, either propelled by political or financial purposes, become more sophisticated.
Jay Abdallah, EMEA director of cyber security services at Schneider Electric said that if we think about from an attacker’s perspective, weighing risk vs reward, "we clearly see why the threat landscape has shifted significantly towards NCI".
Hackers are being able to access valuable information worth billions. While white hat hackers might in fact be beneficial to a company (by helping them understand where their systems are vulnerable), black hat hackers will have a malicious purpose to their wrong-doing, yet, the reward is often heavier than the risk.
The combination of legacy and new technology is not the only problem hitting NCI. Malware, for example, represents a real danger to NCI, including data centres.
Jens Monrad, systems engineer at FireEye, told CBR that malware, which has been active for many years, is still able to continuously spread and compromise organisations, illustrates that having visibility, alongside a capability to detect and remediate compromised endpoints, is still a very complex and challenging procedure.
While the malware itself does not pose a great risk of losing sensitive data or credentials, it can still cause other issues within an organisation.
Malware can overshadow more severe incidents or compromises within an organisation, or can place an unnecessary burden on the security operations team, due to the large volume of events occurring.
While the malware, in many cases, is no longer able to actively communicate with an infrastructure controlled by a cyber criminal, there is still a compromised endpoint, which needs to be identified and remediated.
The ultimate critical infrastructure of modern economy
An important part of the NCI landscape that helps to remediate malware issues and other cyber threats are industrial control systems (ICS), which according to the CPNI, are constructed from commercial off the shelf technologies similar to those used in the IT domain.
The fundamental difference between a security incident in the IT domain and the ICS domain lies in the potential impact.
The impact of an ICS incident can be far greater, causing not only disruption to business operations and services but also potential damage and destruction of equipment, and injury to people. For example, IT systems in a power plant can be manipulated in such a way to make the plant explode.
These systems are critical and therefore are required to be trustworthy and resilient not just operationally but from a security perspective too.
Jens Monrad, systems engineer at FireEye, told CBR that IT used alongside some industrial control systems, such as the one in the nuclear power plant in Germany, were originally designed when security was not a key priority in an engineer’s design process and they used an operating system from that time, in this case Windows XP.
"Control systems have a long design life of approximately 20 years or more and are commissioned to work flawlessly at the time of installation, when there were not any plans to change or modify the systems.
"The lack of in-built security in the initial design, long life, and lack of changes to the system (including patching) all contribute to the likelihood of a security incident occurring. If a system or network is vulnerable to legacy malware, then it is certainly vulnerable to targeted attacks," he said.
With the rise of the industrial IoT, there is an urgency to create smarter ICSs, however, in an IoT world these are harder to build, according to Catalin Cosoi, chief security strategist at Bitdefender.
He told CBR that building the IoT for industrial control is a tough process that relies on a number of conditions, such as resilience in the face of connectivity failures.
"Connectivity is key to unlocking the value of the IIoT, but it also increases the risk of cyber-attacks from external and internal actors, whether accidental or malicious.
"Security is paramount and must be addressed at every layer, from sensors and actuators to the controllers and the operations and business systems with which they connect."
When it comes to adding sensors and nodes to the NCI, planting thousands of sensors may also endanger integrity as operators may become overwhelmed with alarms, alerts and indications.
He said: "What is more, overreliance on unsecured wireless technologies increases hacking and denial-of-service opportunities.
"There is an increasing tendency to rely on wireless sensor networks, which are exploitable. This adds to the risk of physical attacks on the sensors and their containers."
In Part II – How can critical infrastructure be protected