2017 saw some of the most sensational and devastating cyberattacks in history. From the Equifax breach, widely considered the most devastating cyberattack in history, to the Bad Rabbit ransomware epidemic, hackers have diversified their tactics and capitalized on a wide spectrum of vulnerabilities to wreak havoc on whole industries.
While all kinds of organizations, from government agencies to multinational corporations, have been victimized by cyber criminals over the past year, the danger to national critical infrastructure is the most pressing threat, in both exploitable vulnerabilities and potential damage of an attack. Identifying the patterns and trends of recent hacks can give insight into what methods hackers will likely employ over the coming year.
Understanding the Vulnerability of National Critical Infrastructure
Critical infrastructure is exposed in a number of ways. The first has been manifest by the trends in technological development over the past several years. Over the past several years, an important shift has occurred within the operations protocols for running the critical infrastructure of most modern nations.
The machines and systems used to handle everything from water movement to electrical power to healthcare facilities has turned from being manually and analog-operated to completely digitized. These digital systems both control the infrastructure and collect and store data on their operations.
While this has certainly had its benefits by increasing efficiency and operational scale, the move has also exposed critical infrastructure to threats from criminals and other malicious actors in the cyber sphere. Furthermore, due to the rapid spread of digitization, the industry must now deal with a significant shortage of experts with the requisite skills to secure the infrastructure in its new digital platform. Since cyber has taken over control systems, there is a need for analysts who understand both digital security and control system technology.
The threat of equipment being hacked at various points along the supply chain has increased the risk to critical infrastructure. “Supply chain hacks,” as they are often referred to, includes compromising both hardware and software at some stage before it comes into possession of a user. Hackers have been known to use this tactic targeting critical infrastructure, in particular.
The 2014 series of HAVEX Trojan hacks stand as a strong example. Cyber criminals were able to hack into the sites of program developers and digitally poison download commands on various sites that hackers assessed would be visited by critical infrastructure firms. This has proved to be a significant liability for many Western nations.
Other factors contributing to the increased threat include the expanded market for malware tools via the dark web, as well as tendencies within industries dealing with critical infrastructure failing to update operating systems, a problem that profoundly contributed to the WannaCry epidemic (see below).
The Growing Trend
In short, the potential exposure of critical infrastructure is real. The attempts, many of which have been successful, of hackers to capitalize on these weaknesses serve as a testament to this.
Attacks demonstrating this vulnerability are not altogether new. The U.S., for instance, for years fended off Iran-backed hackers targeting its critical infrastructure before the current “cold peace” attained through Obama’s nuclear deal. The Iranians had a few significant successes over that period, including the infiltration of the computer systems controlling a major dam in upstate New York in 2013. The hackers would have been able to release the water held back by the dam if not for the fortunate fact that the sluice gate had been manually disconnected from the digital grid for maintenance purposes.
There were also several high-profile attacks on critical infrastructure in 2017. Arguably the most severe instance was the WannaCry epidemic. In the May series of attacks, hackers unleashed a ransomware program that targeted British National Health Service (NHS) hospitals, among other victims. Unable to access their data, many NHS facilities grounded to a halt and were forced to turn patients away.
The WannaCry epidemic highlighted the particular vulnerability of organizations in charge of critical infrastructure. It was later discovered that hackers were able to penetrate NHS and other systems by exploiting a long-existent flaw in old versions of the Windows operating system.
Ironically, Microsoft had made a patch for the flaw publicly available after company analysts had discovered it months before the WannaCry epidemic. In an analysis of critical infrastructure attacks over the past several years, researchers of the Organization of American States found that half of all successful hacks were due to vulnerabilities left by unpatched programs.
The year ended with another surprising attack on critical infrastructure, this time in an as-of-now unspecified location in the United States. In early December, hackers deployed malware designed to manipulate industrial safety systems against an electrical power station equipped with Schneider Electric brand machinery.
In a report on the attack issued by Mandiant, analysts stated that hackers had developing the malicious programs, dubbed Triton, in order to cause “physical damage” to power stations and shutdown operations.
Highly reminiscent of the Iranian attack in New York nearly five years ago, Triton is representative of a growing trend that is indicative of the direction hackers will likely be moving in the near future — namely attacks that disrupt the physical functioning of infrastructure systems. As cyber researchers from Dragos related, “the tradecraft displayed is now available as a blueprint to other adversaries,” and that Triton “represents an escalation in the type of attacks seen to date, as it is specifically designed to target the safety function of the process.”
Formulating a Response
Compounding the danger of the vulnerabilities is the suspicion that rogue state sponsors are the primary culprits behind many of these attacks. Both the U.S. and the UK, for instance, reached the conclusion that the North Korea-affiliated Lazarus group was behind the WannaCry catastrophe. The recent Triton attack was also assessed by Mandiant, in the above-referenced report, to be the work of an “actor sponsored by a nation state.”
In the face of this escalating threat, governments have begun to formulate new policies to correct these vulnerabilities. Already in October, legislation was introduced in the U.S. requiring security and intelligence arms in Washington to give an all-encompassing assessment of the digital grid.
The bill requires several federal agencies and their heads, including the Director of National Intelligence, the Secretary of Energy, and the Secretary of Homeland Security, to team up and produce a report delineating the risks to critical infrastructure and how to correct them. What is important about this legislation, in particular, is that it lays the groundwork for Washington to potentially regulate private industry dealing with critical infrastructure systems.
This may be a welcome change. Considering that many of the dangers to critical infrastructure come from outdated operating systems, standards of application, and program security, it would likely help to have enforceable standards across the whole sector.
Defining the Problem
Even if countries pass legislation to create new rules on operating critical infrastructure, countries will still be left with the more basic problem of defining what actually constitutes critical infrastructure. This is absolutely essential from a strategic perspective. If the international community has correctly assessed that the emerging criminals and state-backed hackers will focus on critical infrastructure, then it is vitally important to determine what targets are included in this category. This is no simple task, for a variety of reasons.
First off, industries are resistant to having themselves branded as critical infrastructure, out of concern that this designation will ultimately lead to more governmental control. Take, for example, the announcement of former Secretary of Homeland Security Jeh Johnson defining state and local elections as critical infrastructure. Johnson faced strong opposition from some state election officials claiming that this would spell a federal takeover of the electoral process.
In the end, a comprehensive effort by the U.S., or any country, will involve a balancing act of weighing private and local government autonomy against national security concerns. What seems to be certain, however, is that with critical infrastructure now at the top of cyber risks, the challenge of securing these systems will grow more difficult. It is now incumbent on firms involved in operating and contracting for these systems to look to the future and plan how to meet that challenge successfully.