Critical infrastructure is a growing target for cyberattacks by nation states and hired hands.
While businesses and organisations have historically been the targets of cyberattacks in general, recent developments in technology along with geopolitical shifts mean nation states are paying close attention to cyberspace like never before.
A recent study showed that 73pc of industrial systems were able to be penetrated and 82pc of successful infiltrations created the possibility to access the broader network and internal control systems (ICS) equipment. ICS includes technologies used to manage power, water, oil and gas among other things. Critical and connected infrastructure is now a major target.
Carson Sweet, CTO and co-founder of CloudPassage, explained why countries are using these tactics more than ever before in modern conflicts: “Cyberattacks are faster to execute; far less expensive, both financially and in terms of human life; are lower-risk from a political standpoint; and are orders of magnitude easier to obfuscate.”
He added that the wide availability of cyber mercenaries – talented, experienced attackers for hire – is a major factor. As well as this, dark web marketplaces where exploits can be obtained are key. “This means that even nation states without particularly well-developed cyber war capabilities can launch effective cyberattacks with relative ease.”
These factors make cyberattacks very attractive for both nation states with established capabilities, and factions seeking to outsource attacks to cyber mercenaries.
A great equaliser
Brian Contos, CISO and vice-president of security strategy at Verodin, said: “Cyber acts as a great equaliser. There is no need to be a nation state with an extremely powerful, traditional military to launch an effective attack.
“A notable difference between leveraging cyber for war juxtaposed with an air for example is that cyberattacks aren’t limited to nation states – they can include minor actors such as cyber-criminals, hacktivists and terrorist organisations.”
With new developments come a whole host of new risks, and attacks can become more frequent, more efficient and more cost-effective. Sweet said targets already include a wide array of areas, from utility infrastructure and financial service to cutting-edge scientific data, Sweet said. “We just saw indictments of individuals associated with the Islamic Revolutionary Guard Corps for cyberattacks resulting in the theft of 31 terabytes of academic data and intellectual property.
“The most alarming new risks pertain to the explosion of internet-connected devices and facilities – self-driving automobiles, wearables, medical devices, smart electrical grids etc. Controlled by computer software and of course managed by back-end systems that can impact vehicles and devices en masse, the risks associated with cyber warfare actions against devices and facilities that can cause harm or death to humans changes the stakes completely.”
While most people are familiar with cyberattacks on a consumer or business level, when it comes to nation states, the scale is much larger.
Various attack vectors
DDoS attacks in order to disrupt critical operations are common, but Sweet said another more subtle version of this is possible through data poisoning, the barely detectable but significant modification of data. “This attack vector is particularly diabolical in that it impacts many downstream processes and may take years to detect.”
Theft of sensitive information could also be seen as a modern form of intelligence gathering. Financially motivated attacks, while not strictly an element of warfare, can still have a devastating effect.
Contos explained that critical infrastructure attacks can weaken a target for a sustained amount of time. “An attack that brings down even a portion of the electric grid could result in alternative sources of energy and other facets of critical infrastructure like water, transportation and sewage shutting down; supply chains breaking down for everything from food and water to gas and emergency supplies; communication outages; civil unrest; and emergency services like hospitals, fire departments and police being overwhelmed.”
He added that many industrial control system components run operating systems that hit their end of life more than a decade ago, such as Windows NT 4.0, which Microsoft officially withdrew support for about 14 years ago. On the other hand, newer systems have weaknesses yet to be discovered.
“Given that these attacks are easier, faster to carry out, use readily available talent and technology, and are very easy to cover up, any nation state considering offensive or retaliatory tactics will absolutely consider them,” warned Sweet.