A ransomware attack on an energy provider’s digital system leads to shortages across a large part of a country for days, leading its president to declare a state of emergency: this scenario might sound like the plot of a movie. But it did happen to Colonial Pipeline — the largest pipeline system for refined oil products in the US — in May 2021.
Cyber attacks of such scale may seem uncommon as they are perhaps under-reported or stemmed early, but it is high time for critical infrastructure providers to step up their cyber defence.
According to Mandiant Threat Intelligence, one in seven multifaceted extortion attacks leak crucial operational technology (OT) information such as network and engineering diagrams, images of operator panels, and information on third-party services. With sensitive details on OT environments, attackers can more readily target these systems and networks repeatedly.
With rising geopolitical tensions, there will be a risk of increased cyber attacks on critical infrastructure sectors — such as energy, water and transportation — that could disrupt and cripple a country.
Yihao Lim, intelligence strategy lead for Asia Pacific and Japan (APJ) at cyber security firm Mandiant, notes that there are three main types of threat actors targeting OT systems in critical infrastructure industries.
The first is state-sponsored actors who carry out cyber espionage. “We have observed that as recently as Q2 of this year, state-sponsored espionage attacks were used against power grid operations in Ukraine, and these are suspected to be by Russian forces using a malware called INDUSTROYER.V2,” he says.
See also: Testing QA New Section BDC Feature Winner 1
The second is hacktivists, who Lim observes could be lone wolves or a group of people who operate together to launch cyber attacks.
“[Attacks by hacktivists tend to be more] superficial such as defacement of a website or distributed denial-of-service (DDoS) attacks, and are due to systems using the default password. So bad cyber hygiene by victims is usually the cause of this kind of compromise,” he adds.
The third group of threat actors are cyber criminals who execute ransomware attacks. Lim explains: “[These actors will usually] look for processes to kill off once they get into the environment. So when they target the OT environment, one of the instructions in the kill list is something that is operating in the OT environment itself.
See also: Unpublished article shouldnt be accessible testing
“We are seeing ransomware focus on OT increasing. Unfortunately, we also have a very vibrant cyber crime underground market, so more people are using ransomware attacks to make money. Also, ransomware-as-a-service lowers the barrier of entry so even people who are not technical can launch ransomware attacks to make some money by extorting victims.”
OT security usually not a top priority
The preparedness of critical infrastructure providers in facing OT attacks partially depends on the government and regulations, notes Lim.
“In countries that set aside budgets and have regulations on OT security, their critical infrastructure industries are better prepared as they have solid backing from the government. But in certain cases where the government is not so aware of OT attacks and their impacts, they may have less budget and won’t be so strict on OT security. So critical infrastructure providers in those countries will just do the minimum such as deploying anti-virus software.”
Critical infrastructure providers might also be reluctant to strengthen their cyber security posture as significant OT attacks are not as widely reported as cyber attacks on IT systems.
Since they haven’t seen any real or major attacks happening in their environment, increasing their budget to secure their OT environment might not be their highest priority. Why would they want to do so when their processes have been working perfectly? It’s harder convincing them to secure their OT environment than rushing to digitalise or automate their OT systems.Yihao Lim, intelligence strategy lead for Asia Pacific and Japan (APJ), Mandiant
The OT environment, says Lim, is also complex as it consists of many components, each of which follows a different protocol. “Some legacy systems are so old that they cannot integrate with IT or modern security systems.”
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Resolving the OT security headache
To prevent operational disruption from cyber threats, critical infrastructure providers need to extend their cyber defence from IT to OT. This calls for an understanding of relevant cyber threats, rigorous security testing and threat detection and response across the entire enterprise.
“They must be able to understand the environment well and have a very clear understanding of the vulnerabilities in terms of the dependencies in the environment. [This will enable them to] understand why OT and IT security is important and ensure that when they design their OT environments, it is done with security in mind instead of an afterthought,” says Lim.
He adds that cyber security firms like Mandiant can help critical infrastructure providers identify tactical actions and strategic steps to mitigate security risks and improve security defences across different levels of OT environments.
For instance, Mandiant offers threat intelligence that provides visibility and expertise on cyber threats.
It is compiled by over 300 security and intelligence individuals across 22 countries, researching actors via undercover adversarial pursuits, incident forensics, malicious infrastructure reconstructions and actor identification processes that comprise the deep knowledge embedded in the Mandiant Intel Grid.
“Using intelligence to understand and detect bad actors is the most effective way, rather than taking wild guesses. This is especially crucial in critical infrastructure industries as their OT systems must run 24/7, so they cannot take days or even hours to respond to threats or attacks. Having the intel will therefore dramatically reduce the time [for the targeted company] to make more informed decisions,” says Lim.
He continues: “There are many other ways we’re helping critical infrastructure providers enhance OT security. We offer user awareness training and OT red team security assessment, [which is a simulation of a real-world OT-directed attack scenario to assess their security team’s ability to detect or respond to an attack].
“We also provide consultancy services to help customers create a strategic plan to uplift their entire security capabilities, including improvements needed in processes and identifying the skill sets they need to hire.”
As critical infrastructure providers undergo digital transformation to gain remote visibility into industrial operations and enable predictive maintenance, the move has also created new vulnerabilities to cyber attacks. Therefore, companies must take action to secure their OT systems better as the critical infrastructure is vital to a nation’s economy.
