As our world becomes increasingly digitized, the risk of cyber attacks on critical infrastructures are also growing. Unfortunately, these attacks often need to be better understood and publicized, which can make it difficult for us to know how to protect ourselves or our organizations.
For example – Hacktivists bring down the US power grid during a particularly harsh winter, causing millions of homes and businesses to go dark, communications to be down, banks to close, hospitals to close, and air traffic to be grounded.
The scenario sounds apocalyptic, but it is a real threat, According to Krishna Chaitanya Tata, a Cybersecurity architect at IBM, who helps customers safely isolate their infrastructure from the internet and enforce secure remote access, allowing them to access and control critical assets remotely.
Krishna sheds light on this evolving threat and discusses why cyber attacks on critical infrastructures are becoming more common, and what we can do to defend against them. This is an important issue that we all need to be aware of, so we encourage you to read this article and share it with others.
Critical infrastructure complexity
There is a growing reliance on networks of connected devices for critical infrastructures, such as power generation and distribution. Power grids and other critical infrastructure used to operate in isolation for decades. However, they are now far more interconnected, both geographically and within sectors.
According to Krishna, a failure of one critical infrastructure could lead to a devastating chain reaction.
The vulnerability of critical infrastructure to cyber-attacks and technical failures has become a major concern in recent years. Most CI industries use legacy devices not suited for hardening, are getting increasingly interconnected, and have become the frontier for cyber warfare.
Three utility companies in Ukraine were hit by the BlackEnergy malware in December 2015, leaving hundreds of thousands of homes without electricity for six hours.
The malware likely originated with phishing attacks and targeted utility firms’ SCADA (supervisory control and data acquisition) systems.
Following the blackout, the Israel National Electricity Authority was attacked by a major cyber-attack two months later, although damage was mitigated after the Israel Electricity Corporation shut down its systems to prevent the spread of the virus.
Cyber-vulnerable industries
Cyber attacks against critical infrastructures are not limited to the energy sector, however: transport, public services, telecommunications, and critical manufacturing industries are also at risk.
The Bowman Avenue Dam in New York was breached by Iranian hackers in 2013, allowing them to control floodgates. Media reports suggest that other oil rigs, ships, satellites, airliners, airports, and ports may also be vulnerable.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the US government agency that helps companies investigate attacks on ICSs and corporate networks, has reported an increase in cyber attacks against critical infrastructures and key manufacturing industries.
In 2015, cyber investigations increased by 20%, and attacks against US critical manufacturing doubled.
Industrial control systems (ICS) – such as SCADA, Programmable Logic Controllers (PLCs), and Distributed Control Systems – are used to control and monitor processes of physical devices, like pumps, valves, motors, and sensors. It is increasingly possible these days to remotely access these ICS devices due to increased connectivity and a lack of proper access controls and segmentation strategies.
In the most high-profile cyber attacks against critical infrastructures, the Stuxnet worm damaged centrifuges used to separate nuclear material, disrupting the Iranian nuclear program.
As a result of the incident, many critical infrastructure and manufacturing industries in Europe and the US were concerned that Stuxnet could be adapted to attack SCADA systems.
A German steel mill suffered major damage in 2014 after a cyber-attack forced the shutdown of a furnace, the German Federal Office for Information Security reported one of the few public examples of SCADA attacks. Social engineering techniques were used to gain control of the blast furnace systems by the attackers.
Cyber attacks on critical infrastructures target control systems, not data
Organization of American States and Trend Micro report that cyber attacks against critical infrastructures and manufacturing are more likely to target industrial control systems than data.
They found that 54% of 500 US critical infrastructure suppliers surveyed reported attempts to control systems, while 40% reported attempts to shut down systems. According to more than half of respondents, attacks are on the rise, and three-quarters believe they are becoming more sophisticated.
Not only this, 73% of Indian organizations experienced a successful ransomware attack in 2022 — 45% were hit more than once, as per the Barracuda international Survey.
Krishna explains that hackers are becoming increasingly interested in operational technology, the physical devices used in industrial processes. “They are at a high risk,” he says.
As an example, he cites a cyber-attack against a New York City office block in which a hacker accessed the building management systems – which control power, communications, security, and environmental systems – via a connected vending machine. According to him, businesses lost as a result of the building shutdown cost $350 million.
Industrial control systems are less secure than IT systems
The security of industrial control systems and connected devices lags behind that of IT systems, however. Krishna compares serial communication technology to the beeps and squeals associated with old-style internet dial-up as many of the connected devices used by the industry are based on serial communication technology.
According to Krishna, operational technology is a vulnerable element of cyber security. While IT infrastructure has given rise to an army of cyber security consultants, products, and services, industrial control systems have not.
As connected devices become more common, cyber-attacks against physical operating technology will likely increase.
The “Internet of Things” (“IoT”), for example, is set to accelerate the convergence of the digital and physical worlds with more and more everyday devices embedded with electronics that connect to a network and collect information.
It is increasingly common for consumer devices to be connected – such as wearable technology, smart devices, domestic appliances, and children’s toys.
Krishna believes that growing digitalization and the Internet of Things could create a perfect storm when it comes to cyber security.
According to him, companies are now operating devices, software, and data through virtual networks, such as cloud computing.
It is crucial to have confidence in the security of infrastructure
Security in data and systems is crucial to society’s ability to reap the benefits of the Internet of Things. The SCADA systems that keep aircraft in the air as well as the IT platforms that underpin mobile banking depend on public confidence just as much.
A number of airlines have experienced technical issues and cyber-attacks in the past year, eroding consumer confidence.
LOT, the Polish national airline, grounded planes in June 2015 after hackers disabled its flight plan system in a Distributed Denial of Service (DDoS) attack. United Airlines grounded its fleet in July following a technical error.
The digital age is here. We cannot prevent it. It is a part of us. However, we see news headlines of breach after breach. We are losing faith in the digital age.” Krishna concludes.
Cyber criminals need to be deterred and operational technology needs to be protected, according to him.
Krishna explains that cybercriminals can create a successful attack for a very small cost, which is why there are so many attacks now.
Since the cost of launching a successful attack has dropped, the number of attacks has increased. As a result, we must develop technology to increase the cost of launching a successful attack,” says Krishna.
For example: Japan plans to compensate companies for maintaining the secrecy of sensitive patents.
He adds, “While we cannot stop 100% of attacks, we can increase the cost so that hackers don’t want to deal with the organization because it will take a lot of time and computer resources.”
By preventing the damage, insurers will be more inclined to offer higher limits and customers will be more inclined to purchase.”
Also Read: Top 50 Richest Person in the World
15 Comments