Threat Vulnerabilities and Prevention in Critical Infrastructure

Sept. 10, 2021
Organizations are combining aspects of physical and online security as an industry best practice

Our world has digitally evolved faster than the most fundamental industries. This circumstance has created a suitable breeding ground for cybercrimes to flourish. Utilities, communications, energy, food and beverage, manufacturing, transportation, and other industries are critical infrastructure facilities having to face the challenges of the ever-changing digital landscape. They are dramatically expanding their exposure with the keeping of legacy systems, quick adoption of new technologies, IoT, and smart devices.

Society is dependent on critical infrastructure facilities. Much of our facilities were designed before digitalization which leads to inherent vulnerabilities. Moreover, many conventional methods of protecting these systems from cyberattacks are now viewed as outdated or pointless. Attacks by cybercriminals have grown to be more advanced year after year. Likewise, the number of people employed to spearhead such online conflicts continues to grow. Complex and well-funded cyberattacks heighten day by day, targeting most businesses, government entities, and critical infrastructure facilities. 

The Evolution of Cybersecurity Threats in Critical Networks

While a focus on cyber defense is on the rise, traditional cybersecurity methods remain prevalent. As a result, threat actors stand to benefit significantly by exploiting decades-old infrastructure weaknesses. Unfortunately, cybersecurity can sometimes become less predominant to companies in favor of generating profits. Many businesses also outsource functions that are not relevant to their core competencies. As a result, there is a complex mesh of technologies and services driving an increase in loopholes and vulnerabilities for any attack to surfaces.

Control systems are caught in a time loop between an analog past and a digital future. Most security systems can notify an operator if a physical abnormality is detected concerning predetermined parameters. However, there is no way of knowing whether an operator or an opponent set said parameters. Once the attacker obtains physical access to network-connected devices, the number of defenses and strength of applied endpoint protections will decide how far the attacker will go with data theft or exploitation of physical and digitals assets. 

State-level cyber hacks are distinguished by targeting essential infrastructures, such as public transit networks, large-scale buildings, power plants, dams, water supplies, just to name a few. Any damage to or interruption of such necessary infrastructure caused by infiltration brings enormous harm to society. In addition, the network of different devices and systems, as illustrated by the spread of IoT and mobile telecommunications, raises more demand for security in the critical infrastructure facilities sector.

Governments, businesses, and other organizations will be held accountable for implementing cyber and physical security measures, especially in the critical infrastructure facility sector. Attacks on critical infrastructure facilities are one of the greatest threats to our national security. Additionally, the essential infrastructure system software is often dominated by third-party vendors, which organizations must rely on. This system means vulnerabilities often go unnoticed.

Digitalization advances and the use of third-party software vendors (operating systems for example) contribute to the rise in danger to public infrastructure, different industries, and even normality in every life. Therefore, when considering the potential impact of cyberattacks capable of causing harm to critical infrastructure, the need for cybersecurity and preparedness cannot be overstated. 

Nuclear Energy Facilities Vs Pipeline Control Systems

Early in my career, I was employed by an energy utility company, which operated power plants along with two nuclear power plants. Industrial control systems are critical components for such critical facilities. These control systems are many times “out of band”, and not connected to outside internet systems. This is for ensuring data transfer in a more secure way and limit exposure to potential malware infiltration. In the case of the Colonial Pipeline compromise, it appears that computer systems reading parameters from the pipeline, such as pressure and speed, also had the ability to write back to the Industrial Control Systems, and therefore Colonial had to shut down and restart all systems, some to be rebuild. This issue is very common. Many critical infrastructure providers do not have a separation from read/write systems, but it is one network of systems doing both, taking data and writing commands to adjust it. In case of a compromise threat actors then have full access to industrial control systems and can disable or even cause an explosion of them.

Learning From Real Attacks and Vulnerabilities 

 Cyberattacks play a significant part in cases of critical infrastructure loss (global monetary losses from cybercrime in 2020 alone was nearly $1 trillion). The types of assaults are expanding. It is becoming more diverse and advanced year after year. In mid-2020, cybersecurity firm Onapsis release details about vulnerabilities found in Oracle's E-Business Suite (EBS). Problems like account takeovers and financial fraud might occur if patches in these systems are not addressed. This caused quite a scare for many businesses and organizations relying on Oracle EBS for business operations. Most were firmly advised to conduct an early evaluation to ensure that they are not at risk to these vulnerabilities. They were also encouraged to deploy patches on the onset. The two vulnerabilities, CVE-2020-2586 and CVE-2020-2587 could enable a threat actor to create updates on the general ledger program contained in Oracle's EBS. They can even steal or modify important business information or erase data as part of a ransom campaign.

It should be highlighted that conventional GRC tools and other standard security approaches such as firewalls, access controls, and so on, do not help to prevent this type of attack on the susceptible Oracle EBS systems. If organizations have internet-facing Oracle EBS systems, the potential harm would be significantly more significant. Those affected by the infiltration will be left unaware of what transpired. Most won’t know the amount of the damage until a thorough internal or external audit is done to obtain evidence.

On the other hand, the cyber breach that brought down the country's primary fuel pipeline and caused shortages along the East Coast resulted from a single hacked password. Hackers obtained access to Colonial Pipeline's networks using a virtual private network account that allowed employees to access the company's computer network remotely. At the time of the attack, the account was no longer in use, but it could still be used to access the company’s network.  The VPN account, which has since been terminated, did not use authentication methods, an essential cybersecurity measure, allowing hackers to access Colonial's network with only a compromised login and password.

The network distributes approximately half of the petroleum supply on the East Coast. A lengthy outage would have resulted in price spikes and shortages throughout the industry. Fortunately, this was avoided when the pipeline was restored within a week. Energy systems and suppliers are among the most targeted by ransomware and cyber threats. The cybersecurity of America's energy infrastructure had been a significant concern in recent years.  

Possible Ways to Mitigate Cyberattacks Could Prove Disruptive

 Cybercriminals are constantly developing new strategies; preventive measures tend to fall one step behind. That is true not only for critical infrastructure security but also for information security measures in general. It is critical to acknowledge that cyberattacks are real-world threats that target control systems, even those previously untargeted. Therefore, genuine efforts must be made into security measures, especially critical infrastructure facilities that could hamper vital processes. 

To prevent attacks, a dynamic security perimeter must be built around crucial networks critical for operations and the employees and operators. These advanced attacks need a risk-based, layered approach to cybersecurity to mitigate any risk. Digitization requires a defense-in-depth strategy. That covers various characteristics and components to defend against both known and undiscovered attacks online and on-premise. Companies must urgently strengthen their entire security policies and systems to protect their intellectual and physical assets. To discuss further, here are some keynotes that could prevent and minimize a wide range of potential threats in critical infrastructure facilities.

Segmentation

Protection for Critical Processes

The most catastrophic cyber-attack in operational technology or industrial control system networks begins as a basic intrusion by installing simple malware. Once infested, it is then allowed to proceed until some form of disruptive or destructive physical attack is carried out. The Stuxnet attack 10 years ago was a typical example of this type of physical attack meant to damage the target infrastructure. Cyberattacks that reach this stage pose a significant threat safety and disruption of everyone depending on it. 

Continuous signal-integrity monitoring of vital physical assets is critical to avoiding these devastating outcomes, even in the face of successful OT network breaches. Cyberattacks on physical infrastructure must not progress to this point. Continual signal-integrity monitoring is intended to protect against such attacks and their repercussions. It is a computerized security system.

Unified Protection Strategies

Many businesses are combining the many parts of physical and online security as an industry best practice. This method connects the process and security environments to handle security problems from the control room to the facility perimeter—protecting all assets in the whole operation. Robust devices, such as video surveillance, access control, perimeter intrusion detection, command centers, firewalls, breach detection, and more, are used in security programs to provide an effective means of protecting critical infrastructure facilities. Although many of the tools have been used as stand-alone capabilities for some time, the ability to integrate them into a unified system provides significant synergies and benefits. 

Having such an integrated security solution allows top management leaders to focus on other aspects of a facility's safe and secure operation while ensuring their ultimate safety goals are addressed. Certain levels of security in this method can prevent problems from occurring in the first place. Others can give detection, alerting, and associated recommendations. In addition, the technique improves critical security features such as access control for real-time mustering in an emergency.

Furthermore, employees play a significant role in cyber threat protection. Therefore, it is critical to keep them informed about the threat landscape and provide them with the appropriate cybersecurity tools and solutions. This statement also emphasizes the significance of sharing threat and event information with other government and business organizations operating in vital areas.

Incident Response

During critical situations, advanced incident workflow tools guide workers and employees through the decision-making and reaction process. They assist in decreasing risk, promote continuity, and boost productivity by seamlessly integrating emergency operations with safety and security systems. Authorized users, for example, can conduct a variety of activities, from a single bulk message to important people or personnel involved. That comprises automated or manual surveillance camera control and unlocking and shutting doors or gates to provide first responders access to essential areas when a physical attack occurs.

A site vulnerability assessment is an initial stage in any plant-wide security strategy to identify potential gaps in protection. Understanding a facility's site is critical to evaluating its needs. Organizations must be acutely aware of not only the physical architecture of the facility but also of how people behave within that environment. The assessment will also investigate the consequences of a security breach and how it can affect security professionals and process operators. Finally, a detailed understanding of the most recent security technologies is required to establish threat mitigation procedures and close identified security gaps.

Final Thoughts

There have been numerous cybersecurity incidents initiated because of poor practices amongst critical infrastructure facilities. Additionally, it should be remembered that a network's cybersecurity is only as robust as the weakest device connected to it. When those devices are utilized in high-risk areas, such as critical infrastructure, the implications of a compromise may be far-reaching, with the ability to bring down much more than simply a substation or other facility. Identity management and Access Controls should be on top of the priorities, as we have seen at the Colonial Pipeline attack. It should be the highest priority of businesses and organizations to provide the highest level of security required to protect the overall system from the potentially disastrous implications of cyberattacks. 

About the author: Dr. Ondrej Krehel is the Founder and CEO of LIFARS. Dr. Krehel is recognized worldwide for his Digital Forensic expertise and Ethical Hacking. He actively participates in many high-profile engagements around the world whereby his proprietary methodology is leveraged to achieve the most rapid root-cause analysis and remediation. He is a former lecturer at FBI Training Academy and Chief Information Security Officer of IDT911, the nation’s premier identity theft recovery and data breach management service. He previously led forensic investigations and cybersecurity consulting at Stroz Friedberg encompassing US government engagements and missions, including military cyber special operations.

About the Author

Dr. Ondrej Krehel | Founder and CEO of LIFARS

Dr. Ondrej Krehel is the Founder and CEO of LIFARS. Dr. Krehel is recognized world-wide for his Digital Forensic expertise and Ethical Hacking. He actively participates in many high-profile engagements around the world whereby his proprietary methodology is leveraged to achieve the most rapid root-cause analysis and remediation. He is a former lecturer at FBI Training Academy and Chief Information Security Officer of IDT911, the nation’s premier identity theft recovery and data breach management service. He previously led forensic investigations and cybersecurity consulting at Stroz Friedberg encompassing US government engagements and missions, including military cyber special operations.