25 October 2018

Critical National Infrastructure Versus Cyber Threats

The fourth and final week of National Cybersecurity Awareness Month (NCSAM) focuses on “Safeguarding the Nation’s Critical Infrastructure”. The threat to critical national infrastructure is a growing concern. A report published by the UK Parliament in July 2018 highlighted that, despite the UK’s vibrant digital economy, we are still lacking cybersecurity skills. This is a common problem experienced by many businesses across different countries, commonly called the “cyber skill gap”.

There are concerns over the Government’s lack of urgency to address the skills gap in order to protect critical national infrastructure. Theresa May, however, did deliver a speech last week demanding more is done to fight nation state hacking.

Most importantly, the solution to solving the shortage of skills and resources in this industry is not short-term. Investment needs to be made in developing relationships between Government and industry. As well as this, academia will be vital in developing cyber specialists for future years to come.

Despite efforts to increase specialism in preventing cyber-attacks, it’s important to examine past events. Understanding any weaknesses from previous attacks will encourage critical national infrastructure sectors to invest more in protection moving forward. To coincide with the NCSAM theme this week, we highlight below some of the most prominent cyber-attacks on critical national infrastructure.

Russian cyber-attacks on US critical infrastructure

In March 2018, the US Computer Emergency Readiness team released a report detailing a range of Russian cyber-attacks on energy and other critical infrastructure sectors.

The threat actors used included ‘spear phishing’ and ‘watering-holes’ (altered trade publication and websites). Malware was used to establish local admin accounts and tools were downloaded from a remote server to gather store credentials. Information was gathered from the industrial networks to the processes. Then, the threat actors hid their activity by clearing logs, removing applications, registry keys and screen captures.

It is thought this attack first began in 2016 and was not detected until late 2017. The complexity of such attacks makes it difficult to detect and stop. Despite this, with the right monitoring technology, it would have been more difficult for the threat actors to go unobserved.

Whilst the ultimate goal of the Russian cyber-attack was unknown, they could have easily disrupted power supply. Some critics say that the only reason the attackers didn’t is because they are uncertain on the consequences and retaliation. This is particularly important now nation leaders such as Trump and May are publicly stating that “cyber-warfare” will become a genuine retaliation tactic.

Ukraine’s Power Blackout

Less fortunate than the US, Ukraine was subject to a cyber-attack in 2016 leading to power blackout. After investigation, it was determined that outside sources had gained access to systems linked to the 330 kilowatt sub-station “North”. This attack was the second attempt from outside sources. The first attack leading to a power outage occurred in 2015, yet the 2016 ‘rerun’ was more sophisticated due to being fully automated.

Researchers found that a piece of malware, nicknamed “Crash Override” was used. This was the second-ever known piece of malicious code purpose-built to disrupt physical systems. The first being Stuxnet, malicious malware used to disrupt an Iranian nuclear facility in 2009.

This cyber-attack meant Ukraine’s capital, Kiev, had no power for over an hour. It is thought that this attack was only a dry-run for future bigger attacks.

Maritime Shipping Cyber-Attack

In July 2018, COSCO Shipping Lines were subject to a cyber-attack impacting internet connection in their American offices. This meant their local email and telephones weren’t working properly, forcing them to shut down connections with other regions.

It is thought that the attack stemmed from ransomware. Whilst the Chinese logistics company said their vessels weren’t impacted, the terminal at the Port of Long Beach was affected. Should the attack have been more sophisticated and harder to detect, it could have caused serious issues with their shipping services.

This attack, along with those at the Port of San Diego and Port of Barcelona in the last 3 months, is putting huge pressure on the maritime industry to prioritise the protection of their systems.

Protecting our future

In early 2018, the UK Government warned energy companies to tighten their security, but further reasoning has not been published. The growing threat of nation state hacking and ‘cyber warfare’ is the drive for recommendations of this type.

To protect ourselves and our critical national sectors, infrastructure organisations will need to remain on constant alert for attacks. In addition, extra monitoring and vulnerability testing can be implemented. These actions will help increase difficulty for cyber-attackers and make it easier to detect malicious activity if they are successful.

Want to understand more about how to protect your organisation? Learn about the consultancy services IRM provides to help protect against cyber attacks and information security breaches.