What Industrial Organisations Can Learn From Nation-State Cyber Attacks

Uploaded on 2024-10-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May 2023, Denmark faced one of the most extensive cyber-attacks against its critical infrastructure to date, compromising 22 companies operating in its energy sector. 

While cyberattacks on infrastructure happen every day, the Danish case was notable for its high level of preparation. “The attackers knew in advance who they were going to target and got it right every time,” noted SektorCert, Denmark’s cybersecurity centre for the critical sectors, pointing at the likely involvement of foreign state actors.

The attack exploited a vulnerability in firewalls manufactured by the Taiwanese company Zyxel, which is widely used to protect critical infrastructure in the country.

This large-scale attack raises two questions: What would a successful cyber-attack against a country look like, and how can organisations in critical sectors avoid becoming collateral damage in geopolitical conflicts?

The Risk of a High-Impact, Low-Frequency Attack 

Organisations in critical sectors are no strangers to cyber threats. In 2022, TrendMicro found that 89% of electricity companies and 88% of oil and gas companies had experienced a cyber-attack that affected production in the past twelve months. 

However, a coordinated attack by a foreign state can exhibit levels of patience and sophistication that few cybercriminals can afford.

The attack against Denmark is sometimes referred to as a HILF, for High Intensity, Low Frequency: leveraging a custom-made malware or an unknown vulnerability to infiltrate multiple actors, sometimes over the course of several years, then disrupt operations in a coordinated way for maximum impact.

Russia is far from the only state building that capability: the Chinese cyber operation Volt Typhoon, for example, has targeted critical sectors in several Western countries since at least 2021. Found in more than 50 power plants in the United States alone, it uses tactics to persist and evade detection for extended periods, leaving China with the theoretical capability to disrupt operations in essential sectors like energy, transportation, and water systems.

Power Plants, Transportation and Utilities on the Front Line

These sectors have several commonalities that make them high-value targets for a large-scale cyberattack. Energy, transportation and utilities all operate in networks: managing to shut down a few strategic facilities, such as power plants, refineries or electric substations, can have a rapid domino effect on large swaths of the country’s economy. 

In addition, these sectors also depend on legacy technologies and systems coupled with numerous industrial control systems (ICS) that are challenging to map, inventory and protect. State-affiliated actors have been known to develop malware that specifically aims at these systems: Russia’s CHERNOVITE group, for example, is known to use an ICS malware framework targeting the power and natural gas sectors. 

Infiltrating OT Systems to Cause Physical Disruptions

To achieve physical consequences from a cyber-attack, a key objective is to infiltrate Operational Technology (OT) systems - the hardware and software responsible for controlling and monitoring industrial equipment and processes. 

Threat actors can then attempt to disrupt operations in a number of ways, such as triggering equipment malfunctions, disabling controls, or overloading critical infrastructure. In recent years, hackers have used these tactics to attempt to poison drinking water in Florida and California and force shutdowns of oil refineries.

These OT systems have increasingly become a cybersecurity battleground. According to a March 2024 report by cybersecurity firm Palo Alto, “3 out of 4 organisations state they have experienced a cyberattack on their OT environment, with most experiencing frequent attacks.” Reports indicate that OT cyberattacks have surged by 50% in the past year.

These attacks exploit the fact that OT environments are inherently less secure. Often conceived without cybersecurity in mind due to their historical separation from IT networks and the Internet, many industrial devices lack basic security measures and controls, like passwords or multi-factor authentication. However, companies increasingly connect OT systems to the organisation’s IT networks for integration with other enterprise solutions and for benefits like asset optimisation, predictive maintenance, and advanced analytics, making these systems more exposed and vulnerable. 

Inventory and Patching Challenges Increase Cyber Risk

This interconnectedness means that attacks can start in one environment and move to another: a vulnerability exploited in the IT network can give attackers a pathway into OT environments if proper visibility and inventory controls are lacking.

The complexity has only increased as the number of devices in a company’s network has skyrocketed. Employees now connect from multiple terminals, and industrial sites host thousands of sensors and connected devices. Companies often struggle to keep track of all these devices and the software or firmware they use—an issue that applies not just to industrial systems but also to IT environments, which are often seen as more "mature" from a cybersecurity perspective.

Another complication for ICS is patching. While patching may not always be the most effective control for OT environments, it remains a valuable security measure. Yet, the process is often slowed down and made inefficient by low visibility and the need for vendor approvals.

For example, among EU companies in critical sectors, one in seven (13.5%) has no visibility over the patching of most of their assets. Additionally, because these sectors operate 24/7, over half (54%) of these organisations report that it takes more than a month to patch a known vulnerability, leaving gaps that attackers can exploit.
Raising Cyber Defences

Western nations are increasingly mandating stronger cybersecurity measures for critical sectors. In the EU, the NIS2 Directive, which must be adopted this month, imposes strict cybersecurity requirements on 18 critical sectors, including state-of-the-art practices, risk management, rapid incident reporting, and regular security assessments.

However, these regulations outline end goals rather than specific strategies, leaving companies to take decisive action to protect their operational technologies.

An effective approach to risk management should include asset visibility, vulnerability management, and configuration management. While risk can never be fully eliminated, organisations can mitigate it by focusing on the most critical issues and allocating resources where they will have the greatest impact. A shift from task-based execution to a risk-based strategy ensures operations remain safe, profitable, and secure without unnecessary disruptions.

Without a clear understanding of the OT assets within the organisation—how they are connected and communicating—it's impossible to assess the attack surface, develop adequate vulnerability management, or defend against sophisticated attacks. This enhanced visibility allows for two critical actions: automating inventory processes to eliminate blind spots and reducing risk by reviewing accessible assets and cross-referencing them with vulnerability databases, such as the NIST's National Vulnerability Database. While no database is perfect or always up to date, these sources - when properly enhanced - are valuable tools for prioritising mitigation efforts.

A robust cybersecurity strategy must also go beyond detecting intrusions or malware. State-affiliated actors are known to use legitimate tools that can evade detection for years and exploit insiders, including complicit employees.

Detecting configuration changes is essential to mitigating these risks. Broader measures, such as configuration management, policy enforcement, and regular audits, can help catch these threats before they can be exploited by malicious actors.

Edgardo Moreno is Executive Industry Consultant in Asset Lifecycle Intelligence Division at Hexagon

Image: pixabay

You Might Also Read:

Industrial Operating Technology Faces An Urgent Challenge:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Trump Campaign A Target For Attacks From China
2024 US Presidential Election Cyber Intrusion: Part 5 - Cybercrime Threats »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Agari

Agari

Agari is the Trusted Email Identity Company™, protecting brands and people from devastating phishing and socially-engineered attacks.

Scanmeter

Scanmeter

Scanmeter helps identifying vulnerabilities in software and systems before they can be exploited by an attacker.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Fortress Information Security

Fortress Information Security

Fortress Information Security is one of the largest cyber security providers of supply chain risk management and vulnerability risk management in the US.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Clearnetwork

Clearnetwork

Clearnetwork specializes in managed cybersecurity solutions that enable both public and private organizations improve their security posture affordably.

Centric Consulting

Centric Consulting

Centric Consulting is an international management consulting firm with unmatched expertise in business transformation, AI strategy, cyber risk management, technology implementation and adoption. 

TrustMe

TrustMe

TrustMe’s integrated platform for business trust and resilience keeps organizations safe, secure, and trustworthy.

QPoint Technologies

QPoint Technologies

QPoint provides solutions and consulting in areas including software engineering, testing, cybersecurity, ICT, web, mobile, project management, and complex integration processes.

Entitle

Entitle

Entitle's SaaS-based platform automates how permissions are managed, enabling organizations to eliminate bottlenecks and implement robust cloud least privilege access.

AmiViz

AmiViz

AmiViz is the first B2B enterprise marketplace focussed on Cybersecurity business in the Middle East and Africa, designed specially to serve the interests of enterprise resellers and vendors.

CyberE71

CyberE71

CyberE71 is an ambitious initiative serving as an umbrella for the UAE’s cybersecurity innovation ecosystem.

Cyber Eagle

Cyber Eagle

Cyber Eagle is a sovereign-grade cybersecurity firm specializing in autonomous AI-powered defense systems for critical infrastructure protection.