• SCADA network hacks are more about systems access than data theft.
• Hackers are specifically targeting critical infrastructure organisations.
• Regulators are responding to the threat with new legislation.
• Best practice cybersecurity defends against data injection and malware.
For a decade or more, global critical infrastructure has come under increasingly persistent cyber-attack; often from state-funded sources.
The list of critical infrastructure hacks is depressingly long. Whilst early incidents were attributed to individual hackers, like the 2001 DDoS attack that crashed the Port of Houston systems, state actors have been responsible for many of the high-profile incidents since.
It’s all about control
Many of the world’s largest hacks are motivated by financial gain, or are political in nature, involving advanced malware attacks or the theft of sensitive or personally identifiable information. Critical infrastructure is not immune to ransomware attacks, but some of the state-sponsored hacks are altogether different. They are about seizing control of command systems with the express intent of causing widespread disruption.
In 2009, the US electricity grid was breached by operatives from several nation states, depositing malware that could cause disruption across the network. The Stuxnet worm, co-developed by Israel and the US, was used to put the brakes on Iran’s uranium enrichment program by taking centrifuges at a nuclear facility offline.
Throughout 2012 the US faced a series of attacks on its critical infrastructure, including spear-phishing attacks targeting natural gas pipeline companies, brute force attacks on utilities companies and DDoS attacks on banking institutes.
In 2013 the tit-for-tat attacks between the US and Iran took a more sinister turn with the successful hack of the command-and-control systems at the Bowman Avenue Dam in New York. Iranian hackers breached the SCADA systems and gained control over the floodgates.
In 2015 the Ukraine was hit by a spear-phishing attack that crippled its electricity grid, leaving nearly a quarter of a million people without power for several hours. 2017 saw hackers use Triton malware to breach a petrochemical project in Saudi Arabia and gain control over the plant’s safety systems.
Most recently, the Colonial Pipeline hack in May 2021 proved that money is still a motivator as DarkSide, the Eastern European hacker group responsible for the ransomware attack, received $4.4 million in ransom from the group. Before closing down, it was estimated DarkSide had gathered $90 million in Bitcoin in under a year, from 47 targeted attacks.
Critical national infrastructure is clearly a lucrative source of income for some hacker groups, so much so that a number are known to specialise in attacks on industrial control systems. In its 2020 ICS year in review, research firm Dragos identified four new organizations specifically targeting Industrial Control Systems in the sector.
Stibnite, Talonite, Kamacite and Vanadinite were added to an existing list of 11 hacker groups known to be targeting power grids and utilities networks. The group includes Xenotime, the group responsible for the Triton attack that targeted oil and gas production in Saudi Arabia. It also includes Dymalloy and Electrum, the group best known for targeting the Ukrainian power grid.
The worrying increase in attacks specifically targeting infrastructure has led authorities to tighten up on regulatory frameworks governing the command-and-control systems of critical national infrastructure. In the wake of the Colonial Pipeline attack President Biden signed an executive order to strengthen US cybersecurity defences. In another example, Australia introduced the Security of Critical Infrastructure (SOCI) Act in 2018. Just two years after the bill was passed, the Security Legislation Amendment (Critical Infrastructure) Bill was introduced.
The 2020 amendment expands the definition of critical national infrastructure to include a broader range of industries. In addition to creating a number of incentives, the Bill pushes for enhanced cyber security obligations, including hardened security practices, incident response teams, vulnerability assessments and an element of government overwatch.
Best practice cybersecurity
With the volume and sophistication of cyberattack on the increase, what can critical infrastructure organisations do to secure their networks? Where are they most vulnerable and where should they concentrate their efforts?
The two primary areas of concern for SCADA networks are rogue data injection and malware. In the case of rogue data injection, hackers attempt to insert information into data streams that is designed to “fool” systems into making potentially harmful, or fatal adjustments. Sending false data concerning operating conditions could result in catastrophic systems failure or have a significant downstream impact.
The use of end-to-end, authenticated encryption of operational data in motion ensures both the integrity and authenticity of data. Advanced key management and distribution technologies, including the use of Quantum key Distribution (QKD), guarantees the forward secrecy of data and alerts operators to any attempt to intercept the data in motion.
A proactive approach to malware
Malware represents a clear and present danger to critical infrastructure networks and has been the source of many high-profile hacks. Social engineering, phishing attacks and unsecure file-sharing practices expose organizations to enterprise-wide vulnerabilities.
Traditional anti-malware solutions operate on a detection-based principle – the threat needs to be known in order to be addressed. With over half a million new malware attacks being created every day they are fighting a losing battle.
If cybersecurity professionals are to stay ahead of the hackers, they need to change their mindset and take a zero-tolerance approach to content security. Next generation anti-malware solutions like Votiro Secure File Gateway adopt a proactive stance, scanning content on arrival and removing any code that doesn’t belong (malicious or otherwise). The result is a sanitized file that retains 100% of its original functionality.
Votiro provides enterprise-wide protection for content shared via email, website download and applications such as file-sharing platforms. It supports a broad range of file types and is virtually transparent to the end user, providing content security without compromising systems’ performance or user experience.
To arrange a demonstration of Votiro, contact us today.