What Industrial Organisations Can Learn From Nation-State Cyber Attacks

Uploaded on 2024-10-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May 2023, Denmark faced one of the most extensive cyber-attacks against its critical infrastructure to date, compromising 22 companies operating in its energy sector. 

While cyberattacks on infrastructure happen every day, the Danish case was notable for its high level of preparation. “The attackers knew in advance who they were going to target and got it right every time,” noted SektorCert, Denmark’s cybersecurity centre for the critical sectors, pointing at the likely involvement of foreign state actors.

The attack exploited a vulnerability in firewalls manufactured by the Taiwanese company Zyxel, which is widely used to protect critical infrastructure in the country.

This large-scale attack raises two questions: What would a successful cyber-attack against a country look like, and how can organisations in critical sectors avoid becoming collateral damage in geopolitical conflicts?

The Risk of a High-Impact, Low-Frequency Attack 

Organisations in critical sectors are no strangers to cyber threats. In 2022, TrendMicro found that 89% of electricity companies and 88% of oil and gas companies had experienced a cyber-attack that affected production in the past twelve months. 

However, a coordinated attack by a foreign state can exhibit levels of patience and sophistication that few cybercriminals can afford.

The attack against Denmark is sometimes referred to as a HILF, for High Intensity, Low Frequency: leveraging a custom-made malware or an unknown vulnerability to infiltrate multiple actors, sometimes over the course of several years, then disrupt operations in a coordinated way for maximum impact.

Russia is far from the only state building that capability: the Chinese cyber operation Volt Typhoon, for example, has targeted critical sectors in several Western countries since at least 2021. Found in more than 50 power plants in the United States alone, it uses tactics to persist and evade detection for extended periods, leaving China with the theoretical capability to disrupt operations in essential sectors like energy, transportation, and water systems.

Power Plants, Transportation and Utilities on the Front Line

These sectors have several commonalities that make them high-value targets for a large-scale cyberattack. Energy, transportation and utilities all operate in networks: managing to shut down a few strategic facilities, such as power plants, refineries or electric substations, can have a rapid domino effect on large swaths of the country’s economy. 

In addition, these sectors also depend on legacy technologies and systems coupled with numerous industrial control systems (ICS) that are challenging to map, inventory and protect. State-affiliated actors have been known to develop malware that specifically aims at these systems: Russia’s CHERNOVITE group, for example, is known to use an ICS malware framework targeting the power and natural gas sectors. 

Infiltrating OT Systems to Cause Physical Disruptions

To achieve physical consequences from a cyber-attack, a key objective is to infiltrate Operational Technology (OT) systems - the hardware and software responsible for controlling and monitoring industrial equipment and processes. 

Threat actors can then attempt to disrupt operations in a number of ways, such as triggering equipment malfunctions, disabling controls, or overloading critical infrastructure. In recent years, hackers have used these tactics to attempt to poison drinking water in Florida and California and force shutdowns of oil refineries.

These OT systems have increasingly become a cybersecurity battleground. According to a March 2024 report by cybersecurity firm Palo Alto, “3 out of 4 organisations state they have experienced a cyberattack on their OT environment, with most experiencing frequent attacks.” Reports indicate that OT cyberattacks have surged by 50% in the past year.

These attacks exploit the fact that OT environments are inherently less secure. Often conceived without cybersecurity in mind due to their historical separation from IT networks and the Internet, many industrial devices lack basic security measures and controls, like passwords or multi-factor authentication. However, companies increasingly connect OT systems to the organisation’s IT networks for integration with other enterprise solutions and for benefits like asset optimisation, predictive maintenance, and advanced analytics, making these systems more exposed and vulnerable. 

Inventory and Patching Challenges Increase Cyber Risk

This interconnectedness means that attacks can start in one environment and move to another: a vulnerability exploited in the IT network can give attackers a pathway into OT environments if proper visibility and inventory controls are lacking.

The complexity has only increased as the number of devices in a company’s network has skyrocketed. Employees now connect from multiple terminals, and industrial sites host thousands of sensors and connected devices. Companies often struggle to keep track of all these devices and the software or firmware they use—an issue that applies not just to industrial systems but also to IT environments, which are often seen as more "mature" from a cybersecurity perspective.

Another complication for ICS is patching. While patching may not always be the most effective control for OT environments, it remains a valuable security measure. Yet, the process is often slowed down and made inefficient by low visibility and the need for vendor approvals.

For example, among EU companies in critical sectors, one in seven (13.5%) has no visibility over the patching of most of their assets. Additionally, because these sectors operate 24/7, over half (54%) of these organisations report that it takes more than a month to patch a known vulnerability, leaving gaps that attackers can exploit.
Raising Cyber Defences

Western nations are increasingly mandating stronger cybersecurity measures for critical sectors. In the EU, the NIS2 Directive, which must be adopted this month, imposes strict cybersecurity requirements on 18 critical sectors, including state-of-the-art practices, risk management, rapid incident reporting, and regular security assessments.

However, these regulations outline end goals rather than specific strategies, leaving companies to take decisive action to protect their operational technologies.

An effective approach to risk management should include asset visibility, vulnerability management, and configuration management. While risk can never be fully eliminated, organisations can mitigate it by focusing on the most critical issues and allocating resources where they will have the greatest impact. A shift from task-based execution to a risk-based strategy ensures operations remain safe, profitable, and secure without unnecessary disruptions.

Without a clear understanding of the OT assets within the organisation—how they are connected and communicating—it's impossible to assess the attack surface, develop adequate vulnerability management, or defend against sophisticated attacks. This enhanced visibility allows for two critical actions: automating inventory processes to eliminate blind spots and reducing risk by reviewing accessible assets and cross-referencing them with vulnerability databases, such as the NIST's National Vulnerability Database. While no database is perfect or always up to date, these sources - when properly enhanced - are valuable tools for prioritising mitigation efforts.

A robust cybersecurity strategy must also go beyond detecting intrusions or malware. State-affiliated actors are known to use legitimate tools that can evade detection for years and exploit insiders, including complicit employees.

Detecting configuration changes is essential to mitigating these risks. Broader measures, such as configuration management, policy enforcement, and regular audits, can help catch these threats before they can be exploited by malicious actors.

Edgardo Moreno is Executive Industry Consultant in Asset Lifecycle Intelligence Division at Hexagon

Image: pixabay

You Might Also Read:

Industrial Operating Technology Faces An Urgent Challenge:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Trump Campaign A Target For Attacks From China
2024 US Presidential Election Cyber Intrusion: Part 5 - Cybercrime Threats »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Nixon Peabody LLP

Nixon Peabody LLP

Nixon Peabody LLP is an international law firm with offices across the USA, Europe and Asia. Practice areas include Data Privacy and Cyber Security.

Alert Logic

Alert Logic

Alert Logic delivers unrivaled security for any environment, delivering industry-leading managed detection and response (MDR) and web application firewall (WAF) solutions.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

Cybersecurity Credentials Collaborative (C3)

Cybersecurity Credentials Collaborative (C3)

C3 provides a forum for collaboration among vendor-neutral information security and privacy and related IT disciplines certification bodies.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Inogesis

Inogesis

Inogesis helps blue-chip organisations harness disruptive technologies and thinking to drive new revenues or overcome challenges by connecting them with dynamic small companies.

DeuZert

DeuZert

DeuZert is an accredited German certification body in accordance with ISO/IEC 27001 (Information Security Management).

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

Blackwall

Blackwall

Blackwall (formerly BotGuard) is a security infrastructure company focused on protecting web ecosystems from automated threats, while optimizing performance for hosting environments.

SpecterOps

SpecterOps

SpecterOps has unique insight into the cyber adversary mindset and brings the highest caliber, most experienced resources to assess your organizations defenses.

Avancer Corporation

Avancer Corporation

Avancer Corporation is a multi-system integrator focusing on Identity and Access Management (IAM) Technology. Founded in 2004.

Guardio

Guardio

Guardio develop tools and products to combat modern web and browser threats.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

NetScout Systems

NetScout Systems

NetScout assures digital business services against disruptions in availability, performance, and security.

VCI Global (VCIG)

VCI Global (VCIG)

VCI Global is a diversified holding company. Through its subsidiaries, it focuses on consulting, fintech, AI, robotics, and cybersecurity.