A growing number of threat groups have been attacking the security systems of electric utilities in North America. Infrastructure around the world is under attack.
The coronavirus pandemic has spawned a huge increase in cyberthreats and attacks. While much of this is aimed at consumers, a lot has also targeted companies whose employees must now access critical infrastructure, such as industrial control systems (ICS) and operational technology (OT) networks, from home.
But that critical infrastructure, which keeps modern society going even during a pandemic, is seriously under-protected against cyberattacks, say recent reports from cybersecurity companies.
“Critical infrastructure” means more than the obvious utility companies, water systems, and transportation networks. In defining essential workers during Covid-19-related lockdowns, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) lists 16 categories of critical infrastructure. These also include chemical plants, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, financial, food & agriculture, government facilities, healthcare and public health, and IT.
Last month, CISA published a set of cybersecurity best practices for ICS, which the agency acknowledges are important for supporting critical infrastructure and maintaining national security.
Attacks on critical infrastructure rising
Cyberattacks on ICS in the energy sector in particular have been ratcheting up, and aren’t limited to the U.S.
In May, Taiwan’s state-owned energy company suffered a ransomware attack, Israel reported cyberattacks on its water systems, Japan’s telecommunications firm NTT said hackers breached its internal network and stole data on 621 customers, and German intelligence agencies warned of Russian hacking threats to critical infrastructure.
These attacks have been building for some time. A Siemens/Ponemon Institute study last October found that 56% of gas, wind, water and solar utilities around the world had experienced at least one cyberattack within the previous year that caused a shutdown or loss of operation data. Only 42% of respondents — those responsible for OT cybersecurity — said their cyber readiness was high, and only 31% said their readiness to respond to or to contain a breach was high. Smaller organizations were much less confident about their ability to take action.
Since last year, a growing number of known threat groups have been specifically targeting electric utilities in North America, according to a January report from ICS/OT cybersecurity firm Dragos.
In February, IT/OT cybersecurity firm Claroty discovered a new vulnerability related to the notorious Industroyer malware, used in the 2016 attack on the Ukraine power grid. Especially disturbing, the new vulnerability allows a DOS (denial of service) attack against protection relays used in electrical substations.
Complete protection still lacking
A report Claroty published in March found that a clear majority of IT security professionals are much more worried about cyberattacks on critical infrastructure than they are about data breaches in the enterprise. That’s consistent among respondents in the U.S., the UK, Germany, France and Australia.
What’s less consistent is the gloomier outlook U.S. respondents have compared to their international counterparts about how much protection is still needed: more than half say U.S. critical infrastructure is vulnerable to attacks, versus 40% of international respondents. But all respondents agreed that electric power is by far the most vulnerable sector.
Although some responses vary between domestic and international cybersecurity pros, “They’re more alike than they are different,” Claroty’s co-founder and chief business development officer Galina Antova, told EE Times. “There are some differences based on the vertical sectors, but even within them, a lot depends on the maturity of the security team. At the end of the day, what counts is the maturity of the security systems that team is implementing. On average, U.S. companies are ahead in the security curve when it comes to awareness and starting the implementation steps.”
In the last three years, more companies have become actively engaged in implementing OT cybersecurity, said Antova. Organizational changes that give responsibility for OT security to the chief information security officer will mean that necessary alignments between IT and OT teams happen faster, and these are happening faster in the U.S. than in Europe.
However, local legal structures also play a part. For example, in some verticals in Europe, the head of production for certain types of facilities has legal responsibility for the cybersecurity of those facilities, so there are some stricter regulations in Europe compared to the US.
IT/OT convergence: hindrance or help?
In a March 2020 survey of cyber-physical security threats to critical infrastructure, nearly 90% of respondents said they’d experienced a security incident in the previous 12 months, and more than half had experienced at least two incidents.
The joint survey by OT and IoT cybersecurity company Nozomi Networks and Newsweek Vantage interviewed C-level executives at critical infrastructure companies in North America, Europe, and the Asia/Pacific region. It found that 85% of respondents had experienced security incursions into OT networks. Of those, 36% began as incursions in IT or data systems and 32% were physical incursions into OT systems.
Andrea Carcano, Nozomi Networks co-founder and chief product officer, told EE Times, “More than half are cyber incursions into IT systems, but physical incursions into IT and OT systems are very common too, and this is why it’s important to approach security from both a cyber and a physical perspective. Many say that a lack of integration is the main cause of vulnerability.”
The survey also turned up a conundrum: the increasingly common integration of IT and OT networks for greater operational efficiency definitely increases the potential attack surface of individual systems. Yet one third of respondents cited the lack of such integration as a source of vulnerability.
“Our survey found the more integrated IT, OT, IoT and physical systems are, the greater the degree of security, but because they are so integrated, these systems are more vulnerable to attack,” said Carcano. “Executives have to balance the need for efficiency with the imperative for security.”
The majority of these companies, 88%, have integrated some or all of their IT, OT and physical systems, mostly for improved performance. While that can include faster response to a security breach, only 12% of respondents said they’d integrated to achieve better security of cyber-physical systems. But less than a quarter of executives at integrated companies said their existing security systems are adequate.