Cyber Attacks On Critical Infrastructure – A New Frontier In Global Conflict

Uploaded on 2019-01-28 in Directors Reports

Cyber-war is still an emerging concept, but many experts now believe that it will be a significant component of any future conflicts. As well as troops using conventional weapons like guns and missiles, future wars will also be fought by hackers using computer code to attack an enemy's infrastructure and to take down their government support systems and the country’s commercial businesses.

At its core, cyber warfare, currently, is the use of digital attacks by one country or nation to disrupt the computer systems of another with the aim of create significant infrastructure damage, and potential assistance to more traditional military attack. 

This military strategy is similar to the beginning of aircraft use at the beginning of the 20th century when planes were initially seen as having the potential of minor visual intelligence, only for large bomber aircraft to become massively destructive.  

Commercial Threats
Governments, intelligence agencies and business now worry that digital attacks against vital infrastructure, like banking systems or power grids, will give attackers a way of bypassing a country's traditional defences. 
This will allow them to take systems down at the beginning of an attack on a country’s infrastructure and/or to steal commercial and intellectual property and use it for their own commercial growth without having to go through the cost and time of system and product development.

Unlike standard military attacks, a cyber-attack can be launched instantaneously from any distance, with little obvious evidence in the build-up, and it is often extremely hard to trace such an attack back to its originators. 
Also, modern businesses are underpinned by computer networks that run everything from sanitation, health services, food distribution and communications, which are particularly vulnerable to such attacks, especially as these systems are in the main poorly designed and protected.

In 2017 Russian hackers obtained access to the US electrical grid by penetrating the networks of key vendors that service power companies. The attacks surfaced in the spring of 2016 and continued throughout 2017. Officials believe the campaign is likely still ongoing.

Some vendors still may not be aware that their systems have been compromised, because the credentials of actual employees were used to infiltrate utility networks.  Hackers used conventional tools, such as email phishing, to obtain employee passwords and access supplier networks. 

The US, Canada and the whole of Europe, Australia and New Zealand’s utility sectors routinely face millions of attempted cyber intrusions. 

Duke Energy, one of the largest power companies in the US serving 7.6 million customers reported more than 650 million attempted cyberattacks in 2017 and a similar amount of attacks in 2018. While a cyberattack hasn’t successfully shut down the US or a European power grid, the threat is real.

More and more, electrical utilities and energy companies are turning to cybersecurity vendors for protection against attempted attacks. 

In its most brutal stage, a cyberwar could result in the crippling of power plants, airports, transit and thousands of businesses as the Ukraine experienced in December 2015 and 2016 and again in June and July 2018. 

Cyber War
A full cyberwar would likely lead to crippled power utilities, hospitals, transportation systems, retail outlets and more. 
Furthermore, in order to curb dissent and freedom of expression, some authoritarian governments take the drastic step of flicking the "off switch" on mobile and fixed line networks to disable the internet and messaging services used by protesters.
All over the world, intentional internet shutdowns and deliberate slowdowns are becoming increasingly common. They generally occur when someone (usually a government) intentionally disrupts the internet or mobile apps to control what people do or say. Out of all countries worldwide, India shuts down its internet most frequently.

In many countries, internet shutdowns are preemptive or reactive measures to mass or potential public unrest, with Turkey's 2016 failed military coup an obvious example. 

This is also true to some extent in India where Internet access is cut off due to political turmoil, protests or military operations. India is even known to carry out shutdowns in certain regions to prevent cheating during examinations. 
For example, Darjeeling in West Bengal suffered a 45-day Internet shutdown due to political demonstrations and protests from activists seeking a separate state while Nawada in Bihar had a 40-day shutdown as a result of communal clashes.
Given the importance of the Internet, moves to block it or limit access can prove costly. In India, the sheer volume of shutdowns, coupled with their length, are getting expensive - very expensive.

Ukraine
A massive attack on the  Ukraine power generation system took place on 23 December 2015 and is considered to be the first known successful cyberattack on a power grid. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to industrial and domestic consumers.
Ukraine’s president, Petro Poroshenko, has reported that there had been 6,500 cyberattacks on 36 Ukrainian targets in just the previous two months. 

International cybersecurity analysts have stopped just short of conclusively attributing these attacks to the Kremlin, but Poroshenko didn’t hesitate: Ukraine’s investigations, he said, point to the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.” 

Moscow has long regarded Ukraine as both a rightful part of Russia’s empire and an important territorial asset, a strategic buffer between Russia and the powers of NATO, a lucrative pipeline route to Europe, and home to one of Russia’s few accessible warm-water ports. 

For all those reasons, Moscow has worked for generations to keep Ukraine in the position of a submissive smaller sibling.
The group behind the attacks, known as Dragonfly or Energetic Bear, has been traced to Russia and had racked up "hundreds of victims", said the US Department of Homeland Security (DHS). The attacks are ongoing, it added. 

The hackers seem to have used tightly-targeted attacks to compromise the corporate networks of suppliers, The attacks used emails sent to senior staff or sought to make them visit spoofed or hacked social media sites. Once the groups won access, they carried out detailed reconnaissance to familiarise themselves with how plants and power systems worked.

Germany
A German nuclear power plant in 2016 was discovered to be infested by computer malware. The Gundremmingen plant, operated by the German utility RWE and nestled northwest of Munich, is said to have the highest-output nuclear power station in Germany. 

Experts identified the viruses to be “W32.Ramnit” and “Conficker”, found at the plant’s B unit in the system that involves the transport of reactor fuel. 

Cyber-attacks against nuclear power plants and industrial control systems are probably at the top of a long list of potential disasters that can be caused by hackers.

Until now Stuxnet, which targeted nuclear power plants in Iran, was the most widely publicised threat against such systems. 
This incident shows however that threats against nuclear power plants are not limited to targeted attacks, but may also be caused by more common attacks. The malware was discovered in the part of the plant named “Blok B” which luckily was isolated from any radioactive functions.

Different from more open conflict-style cyber-attacks such as the ones we have recently seen against Ukraine’s electricity infrastructure, these attacks seem to be the actions of smaller and possibly civilian threat actors. Yet, the threat is very real and based on the increasing number of incidents involving industrial control systems it looks like the current security approach of “computerised but isolated from the internet” is not enough.

Currently companies spend almost $100bn on cyber security, with the bulk going on technology infrastructure to defend against external threats.

Insider Threats
However, insurance cyber risks analysts agree that 58% of cyber claims are attributable to employee behaviour, such as negligence, accidental disclosure and lost or stolen devices. When we include vulnerabilities that exist due to a talent or skills shortage in cyber security, the percentage attributable to internal human issues is closer to 90%.

This should be a big of concern to the financial  industry in the City of London. With attacks against online financial services and the major lending companies increasing at steep rates over the past few years, the financial sector is experiencing higher costs from cyber-crime than any other industry.

The Financial Conduct Authority is stressing the importance for financial institutions to nourish a security culture. But building a culture of cyber security is not only about technology, it also requires a strategy that addresses people and processes. 
No longer should it solely be the job of the IT department to handle cyber risk on its own. Instead, it is imperative to look across an organisation and identify people-based vulnerabilities, including talent and learning gaps, to protect against threats.
The biggest security vulnerabilities are hiding in plain sight. Even with today’s technological advances and increased use of automation, the core of any organisation is composed of its people. About 75% of companies surveyed in our survey reported that they plan on addressing risk factors tied to human error by 2020. 

The majority of employers also said they had established effective policies to manage cyber security threats, and most employees indicated that they understood their companies’ policies. In practice, however, employees often lack the awareness and accountability required to thwart cyber threats.

But there are ways that firms can turn their biggest potential weakness into a strength.

Understand the Culture
An important first step is understanding the workforce culture issues that create vulnerabilities. Employee feedback mechanisms can enable employers to gain deeper understandings of the cultural factors influencing employees’ cyber awareness across their organisation. 

The feedback can also enable an organisation to direct its cyber security budget appropriately and to deploy other solutions, such as an appropriate change and communication plan.

Drive Employee Awareness 
Employees often lack awareness of cyber security risks at a basic level. For example, most employees believe that their organisations’ IT systems are sufficient protection. This thinking may explain why roughly 45% of employees say that it’s safe to open any email on their work computer, according to our survey.  

It is therefore important that employees are trained to understand that despite technology firewalls and other protections, they each play a key role in helping their organisation combat cyber-attacks, including reporting of phishing emails, social engineering tactics and other threats, to appropriate IT teams. 

With this level of awareness, IT teams will be better equipped to acquire and deploy more effective technology solutions.

Deliver Cyber Training & Education
Security awareness training is a critical part of driving a culture of security. But to ensure its effectiveness, organisations must consider deploying innovative ways to delivering and measuring the training. Most employees have a large and increasing training load covering topics from diversity to regulation. 

Consider training approaches that will help to embed awareness in the culture over a longer term. There are several ways to achieve this, such as gamification and appointing employees as “cyber ambassadors”.

Lead by Example 
Evaluate whether your executive leadership team is supportive of cyber awareness and action-oriented behaviours. For example, make sure leaders model positive behaviours that encourage employees to do the same and employees are given the voice to speak up and take action.

Hire Appropriately
Employers need to cultivate robust pipelines of cyber-savvy talent. Onboarding for information security talent should cover cyber risk management processes and procedures. 

These topics should also be embedded into other areas, from performance management to succession planning, and include ongoing training to keep their skills up to date and forward looking.

 Image: Nick Youngson

You Might Also Read:

Cyber Know How For Management In The Digital Age (£):

 

« Disinformation: Facebook Shuts Hundreds Of Russia-Linked Accounts
The Future Of War is Cyber »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

SANS Institute

SANS Institute

SANS is the most trusted and by far the largest source for information security training and security certification in the world.

European Cyber Security Organisation (ECSO)

European Cyber Security Organisation (ECSO)

The main objective of ECSO is to support all types of initiatives or projects that aim to develop, promote and encourage European cybersecurity.

Zertificon Solutions

Zertificon Solutions

Zertificon is a leader in professional email encryption and data security.

Genie Networks

Genie Networks

Genie Networks is a leading technology company providing networking and security solutions for optimizing the performance of large networks.

BA-CSIRT

BA-CSIRT

BA-CSIRT is a center which is dedicated to assist and raise awareness among citizens and the Government of the City of Buenos Aires in everything related to information security.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

VIPRE Security Group

VIPRE Security Group

VIPRE Security Group is an award-winning global cybersecurity, privacy and data protection company.

th4ts3cur1ty.company

th4ts3cur1ty.company

th4ts3cur1ty.company specialize in delivering intelligence lead adversary emulation purple teaming & the bespoke building of Security Operation Centers.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

QuoIntelligence

QuoIntelligence

QuoIntelligence experts can help your team understand the evolving cyber threats and provide simple yet comprehensive recommendations so you can focus on what matters.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

ESC - Enterprise Security Center

ESC - Enterprise Security Center

ESC is a system house specializing exclusively in IT security - Security Implementation & Optimization, Operations, Managed Security Services.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

Prescient Solutions

Prescient Solutions

Prescient Solutions is a managed services provider, using a cloud-based model to provide IT solutions to small, mid-sized, global organizations and government entities.

Exodata

Exodata

Exodata is a French digital services company specializing in the outsourcing of IT Systems and solutions.