By John Thompson, Journalist, Infrastructure Magazine
In recent years, critical infrastructure around the world has proven vulnerable to new and sophisticated cyber attacks. In her presentation at the 2022 Digital Utilities conference, Associate Professor in Cybersecurity and Networking at Flinders University, Elena Sitnikova, discussed the challenges facing critical infrastructure companies and how they can best prepare against new and emerging cyber threats.
Instances of known cyber crime have increased by 50 per cent since the COVID-19 pandemic and incurred a record $323 million in losses for Australian business during 20211.
In her presentation, Dr Sitnikova highlighted three major attacks on critical infrastructure owners carried out between 2020 and 2021, including the ransomware attack that crippled Bluescope Steel’s global production systems in May 2020, the now-infamous Colonial Pipeline hack the following year, and a hackers attempt to poison Florida’s water supply by adjusting the systems sodium hydroxide levels in March of that same year.
Dr Sitnikova suggested that organisations’ growing transition to ‘greenfield’ or otherwise new and untested cyber-physical systems, motivated by the restrictions incurred by the COVID-19 pandemic, had exposed operators to new and unknown risks.
Though advancements in Information Technology (IT) systems have allowed for new efficiencies and better productivity, Dr Sitnikova urged companies to exhibit caution and vigilance when introducing new systems, highlighting three of the most common dangers facing critical asset owners today, and how best to prevent them tomorrow.
Protecting against common threats
Dr Sitnikova suggested that malware infiltration, phishing attacks, and vulnerabilities in external devices are among the most common and pervasive methods for carrying out cyber attacks on critical infrastructure today. According to findings presented by Dr Sitnikova, these attacks are becoming increasingly common due to the rapid adoption of new technology, but there are some proactive solutions for mitigating these threats.
Untargeted malware, as the name suggests, are viruses and threats not targeting specific industries, groups, or users, instead casting a broad net by prioritising the quantity of infections over the quality of those affected.
Though unsophisticated in nature, these attacks have become a growing threat as more and more employees are given remote access in support of them working from home, exposing their company to any malware unwittingly installed by family members or on personal devices.
Fortunately, Dr Sitnikova said, protecting these systems from untargeted attacks is made easier due to their standard software. “IT systems are well positioned when it comes to preventing cyber attacks because they’re working with standard security protocols,” she said.
“However, it’s still very important to make sure you understand and protect your systems by installing malware detection software and educating personnel in cybersecurity basics.” Of greater concern, Dr Sitnikova suggests, is outdated ‘legacy’ protocols such as Modbus and DMP3, and standards such as PROFIBUS, and PROFINET often used by automated industrial technology.
“On the operational side, legacy systems also use legacy protocols. We can see that many systems are still using Modbus, PROFIBUS, PROFINET,” she said. “The equipment is so diverse. So when we talk about security, we need to have disparate systems to deal with the complexity of different vendors, systems and offerings.”
Phishing and ransomware
Phishing attacks attempt to mislead employees into unknowingly installing malware by impersonating legitimate correspondence (such as emails) with seemingly innocuous links or attachments. Though best known for its use in spam emails from supposed Nigerian Princes offering untold fortunes, Dr Sitnikova suggests phishing attacks have since become increasingly sophisticated.
“They’re made really cleverly. So people sometimes can’t differentiate between true email and not true email, so they click on attachments or links provided to them,” she said. “And what we’ve seen that really scares people who are working in this area, like myself, is that special malware like Triton has been created to specifically target safety instruments, systems and safety instrumented system controllers.”
“This is very important because safety isn’t machinery, it’s people whose lives could be in danger.” Phishing attacks, much like malware, often result from user error according to Dr Sitnikova who said employee education programs are the best way to prevent or mitigate against potential attacks.
“As you can infer from these threats it’s not just technical issues, it’s human errors. So what we suggest is introducing organisational policies and promoting security awareness,” she said. “You have to explain how to use emails. You have to have a policy on how to use external devices. For the technical side, you have to set up users’ client privileges, endpoint security and virus protections.”
“Other threats we’ve seen have occurred because of incorrectly configured software or hardware. But for the people who are using these systems, that might be employers, they can still intentionally or unintentionally compromise their systems. So to be safe you have to configure your software and hardware from unauthorised access, and keep these up to date.”
New networked technologies have pioneered efficiencies in the critical infrastructure space, especially those equipped with GPS tracking or communication features. However, in the race to bring new and exciting products to market, Dr Sitnikova argues that manufacturers of said products have implemented poor or impracticable security features and in turn expose operators to higher risk.
“Organisations are increasingly using different technologies that feature real-time or passive tracking systems using GPS,” she said. “These new technologies specifically use new communication protocols through a variety of connections like Wi-Fi or cellular data.
“But in order to be first to the market, they are often built with no security in mind, use poor code and often prevent users from installing basic updates or security patches. “One of our main recommendations for cyber security is installing regular patches and updates, but doing so through these systems is made to be very hard for the user.”
In response, Dr Sitnikova’s research team have developed the Brown-Industrial IoT testbed, an innovative tool for insulating against poorly protected, yet necessary, third-party products. Acting as a firewall, the approach was found to have a high probability of detecting and preventing cyber threats, including spoofing and DDOS attacks.
“Our testing showed that the proposed model scored well in accuracy, recall, precision, and failure rates,” Dr Sitnikova said.
‘Don’t think it won’t happen to you’
Dr Sitnikova challenged those who assumed they were immune from cyber attacks or threats. “If you’re a business manager or a security personnel thinking everything is done in your computer and you are not a target, you are wrong, because you are,” she said.
“Attackers are using sophisticated methods and they’re very much ahead of everybody else trying to find out the weakest link, where they can compromise. Dr Sitnikova said companies should work with IT and Operation Technology (OT) specialists to inform best-practice solutions and ensure competent outcomes. “We already have some vendors providing you with data logs and prevention, and actually are alarming you when something goes wrong.
“It’s not just collecting the data, it’s how you interpret it and implement controls. You have to not only think about the technical measurements and technological solutions for your systems, but to use a holistic approach. “You must implement cybersecurity strategies, cybersecurity legislations and policies, tactics, risk management. This is all part of your security for critical infrastructure.”
To learn more, download Nozomi Networks’ report Protecting OT/IoT critical assets from cyberattacks here.