When we think about cyberattacks and malicious hackers, we often think in terms of our own personal lives and our own organizations. In my experience in cybersecurity, I often hear people say “Why would hackers target me? We are too small” or “I’ve never been affected by a cyberattack, so it’s not really something I’m interested in.”
The reality is that cybercriminals may be targeting you not because of your size but because of who your customers and clients are. Although you may not have noticed it, we are all affected by the increasing number of cyberattacks, the threat of which is only increasing.
Attacks on SCADA and CNI
We have long known that the possibility of attacks on Supervisory Control and Data Acquisition (SCADA) systems was a very real threat to our modern way of living. These systems routinely control how power, water, nuclear, manufacturing, and oil and gas are managed and distributed, forming part of our Critical National Infrastructure (CNI). Attacks on CNI are nothing new, and there are examples where these digital attacks have the potential of affecting our lives in very real ways.
The Stuxnet worm raised the attention of every cybersecurity practitioner in the land. Almost like the plot line of a spy thriller movie, this computer worm, once installed on the network, sought out specific software on computers controlling programmable logic controllers (PLC). It was programmed to hide its presence as it caused the fast-spinning centrifuges to tear themselves apart, making it one of the first forms of malware which impacted the physical world. Stuxnet was highly effective in its targeting of control systems. It is thought to have infected over 200,000 computers and physically damaged 1,000 of them.
What is important to note is that, in order to get their weapon into the plant, the attackers launched an offensive against computers owned by four companies. These were most likely selected because of their involvement in the manufacturing of products and systems used in the control systems.
It is understood that the attacks against the Iranian facility were carried out in order to disrupt the creation of nuclear materials and was most certainly a state-sponsored attack. However, not all attacks on CNI are state sponsored, as we discovered this year.
On May 7th 2021, the pipeline which transports gasoline and jet fuel across southern USA was the target of a ransomware attack that ultimately resulted in its owner, Colonial Pipeline, paying over $4 million to the cybercriminals. When the attack occurred, Colonial Pipeline shut down services, which led to fuel shortages up and down the East Coast. Following the attack, President Biden signed an executive order to strengthen the cybersecurity defenses of the United States’ critical infrastructure industries.
This attack followed the high-profile SolarWinds incident that affected thousands of organizations including government agencies around the world. It is believed that the motivation behind this attack was state sponsored and not by a desire to make money.
Our Digital Lives
We need to recognize that attacks on CNI are undoubtedly going to continue if not increase over the coming years as we continue to rely upon technology in all aspects of our lives from banking through to national health, power, and other utilities. Worryingly, according to a survey of over 250 organizations in this sector published by security consulting firm Bridewell Consulting, “86% of organisations have detected cyberattacks on their OT/ICS environments in the last 12 months” and “Nearly a quarter (24%) have experienced more than 5 successful attacks.”
What Can We Do to Protect CNI?
As with most things in cybersecurity, the answer is investment, but not just money. Both time and money are required if we are to understand the vulnerabilities in our technical infrastructures and also our people. The report from Bridewell states that new methods of security testing, investment in cybersecurity technology, and regular patching and updates will be a focus moving forward. But what about our people? And what about third-party suppliers?
New ways of monitoring, detecting, and preventing cyberattacks are needed. We are living in a world that is now accustomed to using various managed services, so merely investing in regular penetration testing is no longer adequate.
Training staff to understand their part in the protection of an organization is essential. So too is understanding the impact of a breach if we are to decrease the likelihood of an attack.
We also need to have a far more robust approach to third-party management and understand who we are letting through our physical and digital front doors. When organizations tell me that they are too small to be a target, I always ask them about their customers and clients. Who do they serve? What access do they have into those organizations?
If the company works with any CNI sector, then it must be assumed that they are a potential target for cybercriminals, state-sponsored or otherwise.
Everything in the digital world is a virtual entity that impacts our physical world. Whether it is the monetary systems or other systems that we use to control our comforts, as we strive towards faster and more automated ways to enhance our lives, we must take the time to consider what our world would be like in the unfortunate event of a crippling compromise to any of those systems. This requires considerable investments, not only in money but also in dedication towards better security. If we don’t invest in it and focus on those that support CNI, then there is a very real risk we are all going to be impacted in a tangible way.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.