Russia is known to be the world’s leading hacking superpower for a reason. The country has an infamous history of executing high impact cyberattacks, often aimed at one of the most critical functions of any nation: its infrastructure.
We’ve seen this play out against Ukraine, even before the current geopolitical uprisings.
By Alon Nachmany, Field CISO of AppViewX
In 2015, Russia sabotaged Ukraine’s power grid that caused a massive blackout and affected nearly 80,000 customers. The country issued another attack the very next year in Kyiv that left about one-fifth of its citizens powerless. And two years after that, Russian state-sponsored actors unleashed one of Ukraine’s biggest supply-chain attacks via the NotPetya virus—a destructive malware that affected several electric utility companies in the region. Worldwide fallout ensued, disrupting operations across many different industries and causing more than 10 billion USD in damages. Since then, independent Russian hackers have also been linked to several insidious global Operational Technology (OT) security breaches.
Fast forward to 2022, and Russia has used similar tactics as an alternative battlefield to its war on Ukraine. From more than 3,000 DDoS attacks unleashed on Ukrainian government websites, to other more small-scale but harmful, Russian-based attacks reported in other western countries to those that condemned its actions – the impact has again amounted to global proportions.
In the wake of escalated cyber threats, U.S. President Joe Biden alerted companies and government entities to the surge of activity aimed at the U.S. and called for “hardening cyber defenses immediately” – a battle cry that has echoed in a variety of ways from numerous U.S. government agencies, industry organizations, and experts. The FBI specifically warned U.S. energy organizations to closely inspect their network traffic after discovering increased network scanning activity from multiple Russian-based IP addresses, and security experts urged critical infrastructure organizations to be on “high alert” when Russian hackers scanned five U.S. energy companies.
While POTUS preemptively warned Russia that if it launched an attack on any critical infrastructure within the U.S., the country would be “prepared to respond”—amidst looming threats like the latest BlackCat malware—is U.S. infrastructure realistically prepared for such offenses?
The sorry state of current OT security
OT is a combination of hardware and software used to monitor and control industrial equipment in critical infrastructures, such as power plants, water treatment systems, transportation, and gas pipelines. It includes, among others, PLCs (Programmable Logic Controllers), SCADA (supervisory control and data acquisition) systems, DCS (distributed control systems), and lighting controls. Within these are special systems used to control physical devices such as pumps, valves, electricity meters, and light poles that need to operate around the clock.
Previous attacks on these OT systems were not as common as they are today. Before the days of digital transformation — and due to the highly critical nature of their operations — OT systems were completely air-gapped and therefore impenetrable, limiting threat actors to exploit IT networks. This also allowed for weaker security on these systems. But as more critical infrastructure organizations transition to digital models for stronger efficiency, OT systems are now connected to IT networks and the cloud. The IT-OT integration has connected the once isolated OT network to the internet, exposing all of the OT systems to the attack surface.
Unfortunately, our critical infrastructure isn’t as prepared as it should be, and the implications are not fully realized. Many agencies and companies are often underfunded and reliant on incredibly outdated technology, meaning the security of OT technologies is also dated. With the typical lifespan of OT systems around ten years, agencies hardly plan for patches or upgrades, leaving vulnerabilities continuously unaddressed.
For example, in some water treatment facilities, pump controllers do not require passwords for access or don’t use encryption for communications. This means that if there is a password, an attacker just needs to stay online long enough to hear a password and then use it to enter the network.
There’s also the issue of technology mismanagement due to third-party vendors or partners. For example, there are ports connected to other organizations that do not have accurate information about their cable connections. So, when a partner suffers a ransomware attack, no one knows which cable to unplug.
Since organizations have predominantly focused on securing IT systems, many cybersecurity professionals lack the skill to work with OT technology. In addition, OT system operators are neither informed of the security risks nor trained on cybersecurity. As “availability” is a top priority in an OT environment, operators always put the continuous operation of OT systems above the integrity and confidentiality of data — a combustible combination of circumstances.
What could happen if the critical infrastructures were attacked?
In May 2021, a ransomware attack took down the mighty Colonial Pipeline that supplies diesel, gasoline, heating oil, and jet fuel to 19 states across the U.S. The attack has since been attributed to a Russian ransomware gang called the DarkSide. During the days of the attack, the pipeline shut down its industrial control systems for about a week, causing fuel panic-buying, supply shortage, and price hikes. Had the pipeline been shut down for longer, the cascading effects could have been devastating. Eventually, first responders would have run out of fuel and been unable to respond to emergencies, causing mayhem in many major cities.
In another dangerous incident in February last year, hackers broke into the systems of a Florida city’s water treatment plant with the intent of poisoning the water supply. They attempted to increase the level of sodium hydroxide (commonly known as Lye) in the water supply to make it poisonous for consumption. While the attack was thwarted in time, it did threaten the safety of local customers.
The Electrical Grid is another critical infrastructure that powers the nation’s economy and safety. Any disruption in the power sector would have a debilitating effect on the nation’s security, economy, and public safety. Once hackers infiltrate a power plant’s network, they can quietly lurk inside for several months, learning the systems before orchestrating an attack. They could also alter critical data, change settings, disable security functions, or even upgrading firmware to help facilitate the attack. We all remember the infamous Northeast blackout of 2003 that affected more than 50 million people across eight states and parts of Canada. The power outage lasted more than a day and resulted in incidents of reckless looting and torching and claimed the lives of 11 people.
Don’t plan to repent at the eleventh hour, prepare for war today
Although experts believe that Russia is exercising restraint in launching a full-scale cyber assault, developments are continuing to unfold and it’s only a matter of time before the lid is fully blown off.
President Biden’s 2023 federal budget plan budget proposal clearly underlined the urgent need to shore up defenses against this. Critical infrastructures such as power, water, gas, and health are a nation’s lifeline and must be protected at all costs. Given that these are prime targets for malicious actors, organizations operating these critical infrastructures must focus on taking a defense-in-depth approach by implementing Zero-Trust security controls at every level.
To accomplish this, it is important they invest in technology that helps:
- Achieve end-to-end visibility of all the assets in the IT and OT networks
- Takes control of all assets to provide right access to the right resources at the right time
- Continuously monitor assets for anomalous behavior
To that end, organizations must treat identity as the new perimeter and reinforce identity and access management, an effective OT security solution.
It is essential to understand that it is not enough to only verify user identities; machines, too, must be verified before allowing network access. Every OT system connected to the internet, such as the PLC must be secured with digital certificates and keys. It must be authenticated before every communication and be constantly monitored. This includes implementing strong encryption standards for all machine-to-machine communications. In addition, machine identities should be managed efficiently, so they do not serve as weak links in the system.
Leaders should also plan to upgrade outdated software and hardware systems that no longer support modern security controls. Without adequate security, they would be highly vulnerable to cyberattacks. Strong security policies must be enforced across the organization to prevent security gaps and improve OT compliance.
It’s not an exaggeration to say that cyberattacks may affect the functioning of life as we know it. These threats are a big deal and cyber postures across all operations can no longer be an afterthought. The best way forward is to shield up, follow cyber-hygiene, and always stay vigilant.
About the Author
Alon Nachmany is a cybersecurity expert currently working with Fortune 500 enterprises in helping them achieve their security goals at AppViewX. His experience in leadership roles across industries from small start-ups to established enterprises has enabled him to secure some of the most cutting-edge innovations in the world of technology.
In the past Alon has served as the Director of IT and Information Security for WeWork and the CISO for National Securities Corporation, uniquely positioning him to understand and address the mounting security challenges of the modern-day enterprise. His feet are firmly planted on the ground, his eyes are turned to the skies, but he spends most of his days in cyberspace.
Alon Nachmany can be found on LinkedIn