Narong Jongsirikul - Fotolia
The US has accused the Russian government of carrying out a coordinated and deliberately targeted cyber attack campaign on US power suppliers and other critical infrastructure organisations that US officials say dates back at least two years.
The accusation coincided with the announcement of US sanctions on nine Russians and five Russian groups, including Moscow’s intelligence services, for meddling in the 2016 US presidential election and other cyber attacks, including the NotPetya attacks in 2017, reports Reuters.
The US condemnation of Russia also coincided with a New York Times report that a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyber assault in August 2017 that was not designed to destroy data or shut down the plant, but to sabotage the firm’s operations and trigger an explosion, which was avoided only because of an error in the attack code.
According to a security alert issued via the US Computer Emergency Readiness Team (US-Cert), Russian government cyber attackers tried to penetrate US critical infrastructure providers, including energy, nuclear, water, aviation and manufacturing firms, to gain information about IT management and industrial control systems, reports The Guardian.
The alert, issued by US Department of Homeland Security and the FBI, said the attacks included the use of spear phishing and malware to gain remote access into US energy sector networks, and it urged organisations in the energy sector to review their cyber security defence capabilities.
“Russia’s behaviour continues to trouble us and we are continuing to push back in meaningful ways,” a US senior national security official is quoted as saying. But some US officials reportedly said the sanctions do not go far enough in view of the scale of the Russian attack on the 2016 election.
The founding director of US-Cert and security firm Tenable CEO, Amit Yoran, has called the alert “unprecedented and extraordinary” and a wake-up call for the industry at large.
“This is a reminder that we are still not doing the basics well and that our defence needs to constantly evolve and adapt,” he said.
Peter Woollacott, CEO of Huntsman Security, said with Isaca predicting a global shortage of two million cyber security professionals by 2019, there are not enough professionals to cope with the growing threat that critical infrastructure faces.
“Even before this announcement from the FBI and DHS, national agencies were already reporting a significant increase in reported attacks, let alone those that pass undetected,” he said.
Read more about industrial security
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security, according to a cyber defence expert.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
As more elements of services move online, Woolacott said there are more opportunities for attackers of any size or capability to try their luck.
“Critical infrastructure faces a blizzard of attacks of varying sophistication – any one of which could be as damaging as WannaCry or Stuxnet,” he said.
“There is no way to block all of these potential attacks at the walls of an organisation, so governments and businesses need to think very carefully about how we secure our infrastructure or else security analysts will soon be overwhelmed by the sheer volume they face.”
Mat Clothier, CEO, CTO and founder of UK technology company Cloudhouse, said the attacks on US infrastructure highlight the challenge of securing IT operations in this sector because of the amount of legacy IT software within the sector.
“This makes it a slow-moving, easy target,” he said. “No matter how advanced cyber security becomes, it will be of little benefit to those running their IT operations on legacy platforms which no longer receive the latest security patches and updates.”
According to Clothier, Cloudhouse is among the technology companies, including Airbus and Honeywell, that are working with utility providers, public sector bodies and private organisations to improve their cyber defences.
Specifically, Cloudhouse is working with these organisations to migrate their mission-critical applications, specifically written to run on now outdated platforms, away from legacy operating systems into a safe environment through the use of compatibility containers.
Airbus is helping to drive the cyber security market for industrial control systems (ICS) used throughout industry, including many providers of critical national infrastructure, while Honeywell has a network of global cyber security centres of excellence (COEs) dedicated to improving industrial cyber security for critical infrastructure, information technology (IT) and operational technology (OT) convergence, and digital transformation, with the latest COE opening in Dubai.
Most alarming attack
Commenting on the attack on the unnamed petrochemical plant in Saudi Arabia in August, which has been described as the “most alarming” in a string of such attacks, Brian Contos, CISO at security firm Verodin, said taking down a petrochemical plant affects a wide variety of services downstream, such as transportation, supply chains and military operations.
“There is a lot that can be said about the convergence of kinetic and non-kinetic warfare here and the value of asymmetric attacks like this on critical infrastructure providing a force multiplier for the threat actors,” he said.
For example, Contos said cyber attacks have lower attribution than kinetic attacks and, compared to some kinetic attacks, are far less risky, less costly and easier to perpetrate; the speed and reach of a cyber attack is far greater than a kinetic attack, thus compressing space and time constraints; attackers do not need to be a nation state to execute an extremely damaging cyber attack – it can be accomplished by minor actors; and critical infrastructure and industrial control systems remain high-value targets because of the depth and duration of destruction that can be caused and because industrial control systems still suffer from significant cyber security shortcomings.
Mounir Hahad, head of threat research at Juniper Networks, said the Triconex controllers targeted in the Saudi Arabia attacks were from the same manufacturer as control devices targeted in previous attacks on chemical and power plants – Schneider Electric.
“They have been a target of cyber criminals and cyber warriors because they are very popular in Scada control systems,” he said. “According to Schneider, there are about 13,000 Triconex systems in use today around the world. Each one is potentially a critical infrastructure, such as nuclear power plants, water treatment plants and hydro-electric power plants.”
Hahad pointed out that Juniper had published a detailed analysis of the Shamoon malware used in the previous attacks in Saudi Arabia.
Because attackers make mistakes and leave behind critical pieces of malware that eventually leak out, Hahad said it is imperative to assume that many other nation states have access to the same offensive capabilities.
“It is believed Russia has been testing similar weapons in Ukraine for the last couple of years,” he said. “While nation states tend to be careful not to use cyber weapons that cause loss of life, criminal and terrorist groups may not have the same morals. Therefore it is imperative for us to put in place a strong defensive capability against these kinds of attacks, and treat every incident with the utmost urgency and focus.”