Maksim Kabakou - Fotolia

Security Think Tank: Attacks on CNI – an evolving frontier in warfare

In the light of increasing cyber attacks on critical national infrastructure, what are the immediate risks to industrial control systems and other operational technology, and what steps can be taken to address them?

The recent attack on the Oldsmar, Florida water treatment facility, where sodium hydroxide was applied to water at life-threatening levels, as well as previous attacks such as the 2015 Ukraine power grid cyber attack, are reminders of a rapidly evolving frontier of global warfare attacks on critical national infrastructure (CNI). 

Another interesting incident took place in May 2020, when severe operational disruptions were experienced at one of Iran’s central ports due to a cyber attack – allegedly a retaliation to an Iranian attempt to attack Israeli water facilities that took place two weeks earlier. Even though no considerable damage was done to Israeli infrastructure, the attack demonstrates how seriously nations consider cyber threats to CNI. 

Addressing cyber risks in CNI environments is like addressing cyber risks in commercial industrial environments, with two significant differences to consider: 

  • The threat actor. Although recent attacks on industrial corporations have been relatively simple ransomware-based extortions and are associated with cyber criminal groups, attacks on CNI are usually carried out by highly skilled nation-level attackers with extensive resources and quality intelligence, capable of carrying out persistent and well-planned attacks against secured facilities. Taking out a port requires extremely high skills and far more than two weeks’ preparation. 
  • The impact. While an attack on industrial corporations may impact the attacked company and its related markets, attacks on CNI may result in strategic damage and instability on a national level. Cyber attacks on CNI may also be a game-changer during traditional war. 

A recent alert, jointly issued by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), recommends that critical infrastructure operators in the US take immediate action to prevent malicious cyber activity against critical infrastructure, but such actions may take years to complete. Ever a simple recommendation to disconnect operational technology (OT) systems from the internet is like looking for a needle in a haystack when hunting down a phone line connection to an old modem in a power grid or water treatment facility. 

There is no quick fix when it comes to OT cyber risk reduction, as the fundamental deficiencies results from incredibly old technology, no security-by-design mindset, lack of technological knowledge and lack of access to cyber risk management practices. 

Addressing the OT cyber risk challenge requires a holistic approach and strong executive leadership. The associated effort may include the following: 

  • Adopting a converged approach to IT and OT cyber risk management.
  • Developing a unified cyber risk management policy with clear roles and responsibilities when it comes to industrial control systems (ICS).
  • Educating CISOs on ICS technology, ICS sensitivity to changes and the potentially severe impact of a cyber attack on ICS, including casualties and ecological disasters.
  • Educating control engineers on the cyber threat landscape and the associated risks to ICS, available cyber security controls and cyber risk mitigation methods.
  • Conducting a cyber risk assessment to ICS to analyse the threat actor’s profile, map attack surfaces and to identify network topology vulnerabilities, as well as ICS device misconfigurations and vulnerabilities.
  • Ensuring that required external interfaces to OT networks, including interfaces to the organisation’s IT network, are mapped, documented and well-secured.
  • Developing monitoring capabilities to detect attack attempts to ICS.
  • Developing and carrying out a prioritised risk reduction plan, based on the risk assessment findings, and calibrated according to the threat actor’s expected capabilities.
  • In the case of CNI, engaging with relevant governmental agencies to better understand the threat landscape, the threat actor’s profile and to receive concrete intelligence on planned attacks.

The immediate threat, as well as the length and complexity of the remediation plan, should be a call to action to all involved parties.

Read more on Hackers and cybercrime prevention