With the ongoing crisis in Eastern Europe, many questions have been raised about countries using cyberattacks to neutralize opponents or severely minimize the effectiveness of their supply chains. So far we have seen APT groups infiltrate nuclear plants, financial institutions, power transmission infrastructure, smart cities, and data centers. With each attack, hackers are drawing ever closer to targeting complex critical infrastructure facilities such as command and control mechanisms of military hardware related to warhead delivery, ballistic missile defense, space-based communication, and disaster management, ship-to-shore communications, and other parts of an integrated command and control infrastructure related to offensive and defensive military operations.
Such cyber-attacks could turn into a potential final frontier for sophisticated threat actors and they represent the ultimate stage in the evolution of their malware and breach tactics.
Diversification of supply chains presents many opportunities and a risk
With global supply chains running into multiple countries and vendor groups, the standardization of cybersecurity needs is still a mirage. It is little wonder that hackers have in the past launched extensive reconnaissance missions against companies involved in manufacturing complex military and civilian hardware and systems. They want to infiltrate the supply chains early to get embedded in core and peripheral systems at a firmware level so that the chances of detection are minimized during integration and the malware can travel to the target infrastructure or command and control systems with ease.
Diversified supply chains often lead to better cost and production efficiencies and improved time to market. However, with the emergence of supply chain poisoning risks, defense and critical infrastructure vendors are looking at revisiting their supply chain relationships from a cybersecurity perspective. Poisoned industrial control systems could, for instance, induce flaws in products that could cause a safety hazard or cause the product to malfunction when needed. When you are talking about the hardware associated with inertial guidance for a missile system, the costs could be enormous.
Latent malware could provide hackers with a bargaining chip or the same malware could be triggered at will by the developer or hackers to cause a geopolitical incident in a tense environment. When embedded in a power plant or a water treatment facility, such malware could hypothetically alter key functions to cause kinetic damage.
Target Industrial Control Systems within critical infrastructure
Often it is assumed that ICS systems will be air-gapped and there do not need dedicated security measures or extensive implementation oversight. Thus, when implementation errors occur or when the air gaps are bridged and the OT protocols move away from a serial existence, they turn vulnerable to direct attacks. Sometimes because of the need to deploy large-scale systems in a hurry, systems with known ICS protocol vulnerabilities are adopted without an afterthought.
Over a period of time, such vulnerabilities are forgotten till they are used by hackers to launch complex attacks. In addition to ICS-specific protocols, legacy networking equipment such as switches and routers and HMI units also require protection. Random placement of firewalls or the use of VPNs induces lag and is not preferred.
Intrusion detection and threat mitigation systems that can prevent the exploitation and weaponization of vulnerabilities (that can render multiple parts of the ICS architecture vulnerable to a complex attack) can be preferred over traditional systems.
In terms of an attack on ICS devices that operate at the lower level of the Purdue model, hackers can use means such as reverse engineering, modification of control logic, exfiltration of data through commandeered side channels, bypassing authentication mechanisms among others to carry out an attack. While this requires extraordinary levels of diligence and patience, some hackers do invest both to exploit vulnerabilities and take over such systems.
Injecting a new control logic in a PLC can degrade the integrity and availability of the system. The attacker can also remove all traces that point to an infection. In another form of attack, an actor could install a malicious control logic that can cause an engineering application to crash if it attempts to obtain a control-related logic from the PLC.
With the increasing adoption of IoT-based monitoring in critical infrastructure facilities, multiple entry points for malware emerge. These include devices, gateways, networks, platforms, or even the cloud ingress points. Newer IoT devices that have not been tested across a range of scenarios have been deployed across critical infrastructures. These include security cameras, movement monitoring systems, weather monitoring systems, vehicle tracking systems, and many more.
IoT devices with significant compute power could be commandeered to serve as conduits for transferring malware into core systems. Devices with malware-injected firmware could impart multi-loader malware into networks that could open the door for the assembly and distribution of multiple malware in small digital packets.
Industrial IoT systems (IIoT) including automated assembly control and health and safety systems could again be taken over by actors to carry out various malicious tasks.
The potential impact of cyberattacks on critical infrastructure
- Utility agencies could be taken down leading to loss of power and safe drinking water and sanitation facilities in cities
- Bad actors could trigger a larger conflict by creating false attribution.
- Loss of confidential data
- Loss of significant capital investments
- Bad actors could also leave stealthy malware behind that could be trigged at will later
- Danger to ecology and environment
How can critical infrastructure be protected?
- CI operators should join hands to share information on best practices and to collaborate on cyber defense
- Attempts should be made to standardize security across supply chains by aligning these standards with frameworks such as Zero Trust and IEC 62443
- Focus on getting the right threat intelligence to detect stealthy attacks
- Table-top exercises should be conducted periodically to test response measures
- Clear structure and workflow to be published around roles and responsibilities and reporting requirements
- Track advisories from CERT teams and other sources of credible threat information
- Maintain visibility into networks at all times as well as an inventory of devices
- Vulnerability management: patching schedules to be followed with discipline
- Micro segmentation: segment networks to create digital containers to apply security policies at a granular level as also to contain the spread of a malware
- Target rogue devices
If you are facing any challenge in protecting your critical infrastructure, reach out to Sectrio’s IoT and OT cybersecurity experts.
Join our upcoming webinar: Key Takeaways from the Sectrio’s Global Threat Landscape Assessment Report 2022
IoT and OT focused threat Intelligence feeds free for 15 days! Try it right now: Threat Intelligence