Part 2: In Critical Infrastructure, Control Systems are a Hot Target
Welcome back to our blog series on cyber risk highlights in critical infrastructure. In part 1, we set the stage for the current cyber risk climate in the critical infrastructure sector.
This week, we discuss control systems and break down how and why malicious actors target them.
Cyber Crime is not About Stealing Data Anymore
Cyber-attacks against critical infrastructure and manufacturing are more likely to target industrial control systems than result in a data breach, according to the Organization of American States and Trend Micro. Their research found that 54% of the 500 US critical infrastructure suppliers surveyed had reported attempts to access control systems, while 40% had experienced attempts to shut down these systems. Over half said they had noticed an increase in attacks, while three-quarters believed those attacks were becoming more sophisticated.
Critical infrastructure operations are highly physical in nature and depend on a multitude of devices and systems to “control” operational technology functions.
Some examples of devices that can make up the OT ecosystem include:
- Programmable Logic Controllers (PLCs), which can control things like assembly line processes, or the ratio of materials needed to process chemicals
- Supervisory Control and Data Acquisition (SCADA) systems, which are control systems that oversee, monitor, and aggregate, sensor information necessary to operate plant machines
- Distributed Control Systems (DCS), which control multiple machines in a plant
- Computer Numerical Control (CNC) systems, including computerized machine tools and can be programmed to fabricate a physical object
- Building Management and Building Automation Systems (BMS/BAS), which control temperature, lighting, access and control points, and other necessities
- Lighting Control, both for internal and external applications
- Energy Monitoring for security and safety systems in the physical environment
- Transportation Systems for the physical environment
Cybercriminals Have Developed Frameworks to Access these Control Systems
Cybercriminals have been targeting control systems since the turn of the century. One of the earliest incidents was in the year 2000 when a hacker breached the Maroochy Shire sewage control system in Queensland, Australia, and released 256,000 gallons of untreated sewage into local parks and rivers. The attack was attributed to a lone hacker who was familiar with the wastewater control systems. The Maroochy hacker was a disgruntled former employee of the equipment manufacturer of the radio-controlled sewage system.
A lot has changed since the Maroochy incident over two decades ago. Subsequent attacks have been highly sophisticated in nature and are rarely attributed to lone-wolf actors seeking revenge on a former employer. We have witnessed several attacks on the Ukraine power grid in 2015, German Steel Mill, and industrial safety systems in the Middle East. The work has widely been attributed to nation-state actors and highly organized cybercrime syndicates.
All owners and operators of critical infrastructure should be concerned, particularly smaller organizations that may not have the immediate resources necessary to identify and close their cybersecurity gaps.
Fortune 250: How do we integrate our XDR?
2,500+ Water utilities: How do we pay for a Firewall?
— Robert M. Lee (@RobertMLee) June 25, 2022
Robert Lee, CEO of Dragos, tweeting about under-resourced water utilities.
Nation-state cybercriminal organizations, on the other hand, have the resources to carefully prepare for critical infrastructure attacks. In the 2015 Ukraine power grid cyber-attacks, the adversaries were credited with using an Industroyer toolkit, which could be reused and repurposed for other owners and operators of electricity. And recently, in early 2022, cyber criminals have developed entire software frameworks for malicious code targeting programmable logic controllers and industrial control systems. In 2022, the cybersecurity firm Dragos discovered the Pipedream malware. Its initial target set focused on disrupting US Liquid Natural Gas and key Electric power sites. However, after careful study, Dragos determined the Pipedream framework was so flexible and capable that its destructive capabilities went beyond the energy sector. The toolkit’s modular architecture enables cyber actors to conduct highly automated exploits against a wide variety of targeted devices in many different industries. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
No longer does one have to be a former employee familiar with the technology or have the budget of a nation-state intelligence team to target critical infrastructure. Creating physical damage to critical infrastructure through cyber-means is easier today than ever. Next week we will continue discussing the increased capabilities of cybercriminals, diving into how ransomware attacks (often on IT systems) also create collateral physical damage.
In the meantime, if you are curious about how Axio protects critical infrastructure owners and operators, we’d love to show you a tour of Axio360. We have helped hundreds of critical infrastructure owners and operators understand their cybersecurity weaknesses and select the most cost-effective controls to remain secure in these challenging times.