Protecting Critical Infrastructure from Cyberattacks

Modern warfare is increasingly fought not with guns and bombs but with weaponized software. State-backed hackers in North Korea are currently setting their sights on critical infrastructure in the United States with the aim of knocking out power in the country, cybersecurity researchers have warned.

Critical Infrastructure holds a unique and vital role in today’s interconnected societies. The designation encompasses everything from financial infrastructure and power and distribution to transportation and industries critical to national defense. As such, critical infrastructure is consistently the most attacked industry when it comes to cyber attacks.

Securing critical infrastructure is a priority for national security reasons, but the traditional view of security solely as a defensive measure is not enough to protect these systems; a proactive approach to security in tandem with defensive tools is best way forward to prevent catastrophe and keep people and commerce going.

The High Stakes of Critical Infrastructure Cyberattacks

For the vast majority of enterprise businesses, critical systems are defined as any system where an outage or failure will result in a high cost to the business; email, customer databases, accounting systems, etc. are all examples. In the event of a breach, enterprises face serious risks and penalties from lost or exposed customer data and transactions, and loss of customer confidence that can affect their bottom line.

For critical infrastructure, however, the stakes are much higher. The consequences of a successful cyber attack can be catastrophic when measured by the human and business impact along with financial damages if systems were to fail or be controlled by an outside entity. The real life consequences of such an attack include widespread power grid shutdowns, failures of safety measures at nuclear power plants, or dams maliciously controlled to cause flooding.

An example from fifteen years ago illustrates the potential impact that can be caused by a cyberattack. The blackout of 2003, which in this case was caused by a software bug, led to approximately 55 million people being deprived of power for up to two days. It affected power generation, water supply, transportation, communication, and industry. It also led to almost 100 deaths and cost the US economy approximately $6 Billion.

With so much at risk, it should be self evident that the security of these critical systems is paramount. However, while defensive measures can keep most threats out, some will successfully breach them. What is required is a shift from a solely defensive or reactive posture to a proactive approach by assuming a compromise already exists and searching for it before it can cause damage. With so many industrial control systems designed without security in mind, making patching relatively useless as a security measure, according to Robert M. Lee of Dragos, assuming breach is the most effective way to begin searching for malicious activity.

Yesterday, the US named the Russian government as the perpetrator of the ‘Dragonfly’ attacks against US power plants and the computer networks that control the power grid – attacks which were classified until now. Despite successfully piercing many layers of security, no evidence of actual sabotage has been found, yet. And late last year, a major oil and gas company in Saudi Arabia was successfully attacked by a malware dubbed Trisis. Shortly afterwards, Schneider Electric, the company who builds the safety instrumented systems (SIS) that the malware infects, posted a file containing parts of the virus on VirusTotal for analysis, which inadvertently made it available for download by anyone interested in using the malware. The malware sets the SIS to run in program mode, which allows an attacker to give the machine new instructions. Normally, SIS run in run mode, which does not allow for additional code execution. This fundamentally provides attackers a blueprint on how to build new malware based on this attack vector.

A key security challenge with Industrial Control Systems (ICS) is that although most of them are disconnected from the main network, there is a growing trend in interconnectivity between segments with the ICS and segments with the other endpoints in the network. This means that any compromised endpoint in the network can be used as a springboard to compromise other endpoints, including the ICS. This lateral movement is a hallmark of sophisticated cyber attacks and poses a real and present danger.

Increasing Attack Frequency and Regulatory Scrutiny

According to the U.S. Energy Department’s report released at the end of the Obama administration, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency. The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures.”

The UK is taking a proactive stance against growing threats by warning UK companies running critical infrastructure to boost cybersecurity or face fines of up to £17 million if they do not have effective cyber-security measures in place and suffer service outages as a result. As part of the new guidelines, regulators will assess critical industries to ensure the cyber-security setups at energy, transport, water, and health firms are as “robust as possible”.

Today’s security practices need to change to be effective against the increasing threats to critical infrastructure while complying with evolving regulations and avoiding penalties for non-compliance. The traditional defensive approach to security assumes that nothing will breach the network’s defenses: firewalls, AV, endpoint detection, etc. A proactive approach acknowledges that no solution is 100% effective against every threat – new threats are released daily, and it is difficult for any technology to keep up in real-time.

Taking a proactive posture means accepting that malware and zero days will successfully evade defenses. Further, the defenses that have allowed malware to slip past them undetected cannot be relied upon to find the malware post-compromise. Defensive tools serve an important purpose, but in today’s threat landscape it is critical to look to new technologies that complement existing security investments to gain insight into threats that have slipped past traditional first-line defenses.

Hunting for Hidden Compromises

Regularly assessing the compromise state of a network is crucial in a proactive security strategy. It is a necessary tactic to effectively limit and reduce attacker dwell time because the longer an attacker remains on the network, the more catastrophic the attack can be as the attacker has the time to move throughout the network and find critical data or systems to exfiltrate or exploit.

With Infocyte HUNT as a complement to endpoint and network protection tools, you gain the ability to discover hidden compromises and malware lurking in places that the other tools are not able to see. The Infocyte HUNT threat hunting platform sweeps endpoints and analyzes live volatile memory to detect and pinpoint where the attackers are hiding malware and persistent threats before they can inflict damage. Re-imagining the way security is handled in our critical sectors is the best way to keep secure in the long term—and keep the lights on.