What Industrial Organisations Can Learn From Nation-State Cyber Attacks

Uploaded on 2024-10-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May 2023, Denmark faced one of the most extensive cyber-attacks against its critical infrastructure to date, compromising 22 companies operating in its energy sector. 

While cyberattacks on infrastructure happen every day, the Danish case was notable for its high level of preparation. “The attackers knew in advance who they were going to target and got it right every time,” noted SektorCert, Denmark’s cybersecurity centre for the critical sectors, pointing at the likely involvement of foreign state actors.

The attack exploited a vulnerability in firewalls manufactured by the Taiwanese company Zyxel, which is widely used to protect critical infrastructure in the country.

This large-scale attack raises two questions: What would a successful cyber-attack against a country look like, and how can organisations in critical sectors avoid becoming collateral damage in geopolitical conflicts?

The Risk of a High-Impact, Low-Frequency Attack 

Organisations in critical sectors are no strangers to cyber threats. In 2022, TrendMicro found that 89% of electricity companies and 88% of oil and gas companies had experienced a cyber-attack that affected production in the past twelve months. 

However, a coordinated attack by a foreign state can exhibit levels of patience and sophistication that few cybercriminals can afford.

The attack against Denmark is sometimes referred to as a HILF, for High Intensity, Low Frequency: leveraging a custom-made malware or an unknown vulnerability to infiltrate multiple actors, sometimes over the course of several years, then disrupt operations in a coordinated way for maximum impact.

Russia is far from the only state building that capability: the Chinese cyber operation Volt Typhoon, for example, has targeted critical sectors in several Western countries since at least 2021. Found in more than 50 power plants in the United States alone, it uses tactics to persist and evade detection for extended periods, leaving China with the theoretical capability to disrupt operations in essential sectors like energy, transportation, and water systems.

Power Plants, Transportation and Utilities on the Front Line

These sectors have several commonalities that make them high-value targets for a large-scale cyberattack. Energy, transportation and utilities all operate in networks: managing to shut down a few strategic facilities, such as power plants, refineries or electric substations, can have a rapid domino effect on large swaths of the country’s economy. 

In addition, these sectors also depend on legacy technologies and systems coupled with numerous industrial control systems (ICS) that are challenging to map, inventory and protect. State-affiliated actors have been known to develop malware that specifically aims at these systems: Russia’s CHERNOVITE group, for example, is known to use an ICS malware framework targeting the power and natural gas sectors. 

Infiltrating OT Systems to Cause Physical Disruptions

To achieve physical consequences from a cyber-attack, a key objective is to infiltrate Operational Technology (OT) systems - the hardware and software responsible for controlling and monitoring industrial equipment and processes. 

Threat actors can then attempt to disrupt operations in a number of ways, such as triggering equipment malfunctions, disabling controls, or overloading critical infrastructure. In recent years, hackers have used these tactics to attempt to poison drinking water in Florida and California and force shutdowns of oil refineries.

These OT systems have increasingly become a cybersecurity battleground. According to a March 2024 report by cybersecurity firm Palo Alto, “3 out of 4 organisations state they have experienced a cyberattack on their OT environment, with most experiencing frequent attacks.” Reports indicate that OT cyberattacks have surged by 50% in the past year.

These attacks exploit the fact that OT environments are inherently less secure. Often conceived without cybersecurity in mind due to their historical separation from IT networks and the Internet, many industrial devices lack basic security measures and controls, like passwords or multi-factor authentication. However, companies increasingly connect OT systems to the organisation’s IT networks for integration with other enterprise solutions and for benefits like asset optimisation, predictive maintenance, and advanced analytics, making these systems more exposed and vulnerable. 

Inventory and Patching Challenges Increase Cyber Risk

This interconnectedness means that attacks can start in one environment and move to another: a vulnerability exploited in the IT network can give attackers a pathway into OT environments if proper visibility and inventory controls are lacking.

The complexity has only increased as the number of devices in a company’s network has skyrocketed. Employees now connect from multiple terminals, and industrial sites host thousands of sensors and connected devices. Companies often struggle to keep track of all these devices and the software or firmware they use—an issue that applies not just to industrial systems but also to IT environments, which are often seen as more "mature" from a cybersecurity perspective.

Another complication for ICS is patching. While patching may not always be the most effective control for OT environments, it remains a valuable security measure. Yet, the process is often slowed down and made inefficient by low visibility and the need for vendor approvals.

For example, among EU companies in critical sectors, one in seven (13.5%) has no visibility over the patching of most of their assets. Additionally, because these sectors operate 24/7, over half (54%) of these organisations report that it takes more than a month to patch a known vulnerability, leaving gaps that attackers can exploit.
Raising Cyber Defences

Western nations are increasingly mandating stronger cybersecurity measures for critical sectors. In the EU, the NIS2 Directive, which must be adopted this month, imposes strict cybersecurity requirements on 18 critical sectors, including state-of-the-art practices, risk management, rapid incident reporting, and regular security assessments.

However, these regulations outline end goals rather than specific strategies, leaving companies to take decisive action to protect their operational technologies.

An effective approach to risk management should include asset visibility, vulnerability management, and configuration management. While risk can never be fully eliminated, organisations can mitigate it by focusing on the most critical issues and allocating resources where they will have the greatest impact. A shift from task-based execution to a risk-based strategy ensures operations remain safe, profitable, and secure without unnecessary disruptions.

Without a clear understanding of the OT assets within the organisation—how they are connected and communicating—it's impossible to assess the attack surface, develop adequate vulnerability management, or defend against sophisticated attacks. This enhanced visibility allows for two critical actions: automating inventory processes to eliminate blind spots and reducing risk by reviewing accessible assets and cross-referencing them with vulnerability databases, such as the NIST's National Vulnerability Database. While no database is perfect or always up to date, these sources - when properly enhanced - are valuable tools for prioritising mitigation efforts.

A robust cybersecurity strategy must also go beyond detecting intrusions or malware. State-affiliated actors are known to use legitimate tools that can evade detection for years and exploit insiders, including complicit employees.

Detecting configuration changes is essential to mitigating these risks. Broader measures, such as configuration management, policy enforcement, and regular audits, can help catch these threats before they can be exploited by malicious actors.

Edgardo Moreno is Executive Industry Consultant in Asset Lifecycle Intelligence Division at Hexagon

Image: pixabay

You Might Also Read:

Industrial Operating Technology Faces An Urgent Challenge:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Trump Campaign A Target For Attacks From China
2024 US Presidential Election Cyber Intrusion: Part 5 - Cybercrime Threats »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Proofpoint

Proofpoint

Proofpoint provide the most effective cybersecurity and compliance solutions to protect people on every channel including email, the web, the cloud, social media and mobile messaging.

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

Swisscom Blockchain

Swisscom Blockchain

Swisscom Blockchain is focused on supporting the implementation and adaption of Blockchain-based platforms in enterprises across diverse industries.

Jacobs

Jacobs

Jacobs is at the forefront of the most important security issues today. We are inspired to be the best and deliver innovative, mission-focused outcomes that matter to our clients.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

Varutra Consulting

Varutra Consulting

Varutra Consulting is an Cyber Security Consulting, Solutions and Training services firm, providing specialized security services for software, mobile and network.

Twinstate Technologies

Twinstate Technologies

Twinstate Technologies specializes in cybersecurity, proactive IT, and hosted and on-premise voice solutions.

Cyber Explorers

Cyber Explorers

Cyber Explorers is a fun, free and interactive learning platform for future digital superstars. An exciting addition to UK curriculum delivery or after school activities.

Permiso Security

Permiso Security

Permiso combines industry leading Identity Security Posture Management with Identity Threat Detection and Response, leaving no place to hide for identity threats lurking in your environment.

Cloud Native Computing Foundation (CNCF)

Cloud Native Computing Foundation (CNCF)

CNCF seeks to drive adoption of cloud native technologies by fostering and sustaining an ecosystem of open source, vendor-neutral projects.

Cloudsmith

Cloudsmith

Cloudsmith is the only cloud-native, global, universal artifact management platform for securely developing and distributing software.