Critical national infrastructure (CNI) is under greater physical threat than ever. It is still unknown who was responsible for the attack that destroyed at least 50 metres of the Nord Stream 1 and 2 underground pipelines that once carried Russian gas to Germany.
More recently, Russia has also changed the focus of its conflict in Ukraine to attack energy infrastructure with its own missiles and drones supplied by Iran, known as the Shahed-136. Volodymyr Zelensky, the president of Ukraine, stated in a tweet on October 18 that "30% of Ukraine's power stations have been destroyed, causing massive blackouts throughout the country," and in a meeting with Kadri Simson, the European Commissioner for Energy, on November 1, Zelensky stated that between "30% and 40% of [the country's] energy systems had been destroyed."
Increasing threat to cybersecurity
The conflict in Ukraine and the escalating tensions between the East and West aren't the only significant threats to our CNI, though. A growing cybersecurity threat is also present. The Houston, Texas-based Colonial Pipeline, which transports gasoline and jet fuel to the southeast of the United States, had to halt all of its operations on May 7, 2021, in order to stop a ransomware attack.
Hackers gained access to the company's systems through a VPN (virtual private network) account in this attack, which allowed staff to log in remotely using a single username and password obtained from the Dark Web. Shortly after the attack, Colonial paid the hackers—affiliates of the cyberterrorist organisation Darkside with ties to Russia—a $4.4 million ransom.
A threat group known as Sandworm, which is allegedly run by the Russian GRU's cybermilitary division, attempted to shut down an unnamed Ukrainian power company less than a year later. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement that the attackers "attempted to take down several infrastructure components of their target, including: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment."
The attempted intrusion involved the use of ICS-capable malware and regular disc wipers, according to Slovak cybersecurity firm ESET, which worked with Ukrainian authorities to analyse the attack. The adversary also released an updated version of the Industroyer malware.
According to ESET, "the Sandworm attackers attempted to use the Industroyer2 malware against high-voltage electrical substations in Ukraine." It is believed that the victim's power grid network was breached twice, with the first intrusion occurring around the time of Russia's invasion of Ukraine in February 2022 and the second intrusion taking place in April, which enabled the attackers to upload Industroyer2.
Environmental Digitization
It is now beyond question that cybercriminals pose an ever-increasing threat to critical national infrastructure, according to John Vestberg, CEO of Clavister, a Swedish company that specialises in network security software. CNI, such as oil and gas, is a key target for ransomware gangs, he continues. He thinks that energy companies and their suppliers need to use predictive analytics, tools like artificial intelligence (AI), and machine learning (ML), and a more proactive approach to cybersecurity as opposed to a reactive one.
The CEO and founder of Flexxon brand X-PHY, Camellia Chan, agrees: "It's crucial that CNI organizations never take their eyes off the ball." In order to detect every type of attack and contribute to the development of a more effective cybersecurity framework, it is crucial to embrace emerging technology, such as AI, as part of a multilayered cybersecurity solution.
Neither are the well-organized, frequently state-sponsored ransomware gangs CNI organisations deal with the only issue. Part of the problem is that as industrial organisations (including utilities like water and energy companies) digitise their environments, they are much more exposed than in the past to potential security flaws and vulnerabilities.
Grid Edge Danger
The potential for large rewards is one of the things that draws cybercriminals to target energy companies, according to Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio. Many gangs are realising that businesses are more likely to pay the ransom if they can stop the service from being delivered to customers rather than just stealing data, he claims.
He adds that the fact that energy systems no longer only consist of the conventional grid with power plants and power lines is another issue. The "grid edge," which consists of decentralised devices like smart metres, solar panels, and batteries in people's homes and businesses, is what's emerging in its place. When threat actors used a known vulnerability in Cisco firewalls to disrupt communications over the course of about 12 hours in March 2019, the Utah-based company sPower, which owns and operates more than 150 generators in the US, was thought to be the first renewable energy provider to be targeted by a cybersecurity attack.
The inverters in renewable energy systems are one area where they are particularly open to attack. These act as a bridge between solar panels and the grid, converting the DC (direct current) energy produced by PV (photovoltaic) solar panels into AC (alternating current) electricity supplied to the mains. The inverter's data could be intercepted and manipulated in a manner similar to earlier attacks in the US and Ukraine if its software isn't up to date and secure. Additionally, a hacker could insert malicious code into an inverter to spread throughout the larger power system, causing even more harm.
The co-author of a 2018 paper evaluating the cybersecurity risk of solar PV, Ali Mehrizi-Sani, an associate professor at Virginia Polytechnic Institute and State University, claims that hackers can artificially cause a PV system to malfunction in order to launch cyberattacks against the inverter controls and monitoring system.
In November 2020, he told the website PV Tech, "This is a vulnerability that can be, and has been, exploited to attack the power system." Since the technology hasn't yet reached critical mass, the risk of a cybersecurity attack on solar power networks is currently low.
However, as the industry becomes more decentralised, with solar panels installed in public spaces and on top of buildings, managing networks will depend more and more on strong, cloud-based IoT security.
Greater Control
Implementing standards is one way that both organisations and governments can guarantee the highest levels of CNI protection. The ISO 27001 family of standards for information security management systems (ISMS) are required of all network providers, operators, and other CNI businesses in Germany, for instance, and there are obligations set forth in the UK's BSI Criticality Ordinance to demonstrate a comprehensive IT security strategy to secure the operation of critical infrastructure.
Similar to how NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) governs critical infrastructure in the US, this set of regulations only applies to the electricity sector and excludes the oil and gas sectors. Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, asserts that personnel in charge of CNI must receive the appropriate training and comprehend that their actions may have real repercussions. This means they are unable to simply transfer existing traditional IT cybersecurity measures to the IT environment because that is simply not how it works.
But according to Illumio's Dearing, an increasing number of businesses are creating a single strategy for both OT and IT environments. "He explains that the secret is to prepare as though you will be attacked. An attack on one part of your infrastructure won't necessarily have an impact on the other parts if you segment it by separating out all the various components."
Companies have been made aware of the physical threat to energy infrastructure, especially during the coldest months of the year in the northern hemisphere, thanks to the conflict in Ukraine and the attacks on the Nord Stream pipelines. That's not the only issue, though. Attacks on CNI's cybersecurity are on the rise, in part due to a rising threat from nation-state actors but also because cybercriminals are becoming more aware of the potential financial rewards of depriving customers of a crucial service. The convergence of OT and IT technologies is also giving cybercriminals a potentially much bigger attack surface to work with.
While historically security has not been viewed as a crucial factor for OT, this needs to change with a greater focus on technical solutions like network traffic segmentation and continuous monitoring. Only then will businesses be able to stop a potentially catastrophic breach to CNI.