Over the past few months, news headlines around the globe have been littered with reports of cyberthreats to the critical infrastructure of countries of all sizes. What were once just ominous theories of catastrophic cyberattacks crippling the nation’s critical infrastructure are now deemed credible threats that critical infrastructure enterprises must consider in their cybersecurity, business continuity and incident response planning.
While the U.S. has not experienced a disruptive critical infrastructure cyberattack to date, such as the 2015 attack on Ukraine’s power grid that left more than 700,000 people without power for several hours, the frequency of cyberattacks on critical infrastructure enterprises is on the rise. This becomes an even greater concern with events such as the Russian hacking of the computer systems of numerous U.S. nuclear plants, which occurred just last month. As is becoming more and more common in attacks targeting critical infrastructure enterprises, these hackers targeted industrial control engineers, who had access to critical industrial control systems (ICS).
According to Kaspersky Lab’s State of Industrial Cybersecurity 2017 survey, ICS and critical infrastructure are becoming increasingly common targets for cyberattackers, with more than 50 percent of industrial enterprises reporting a cyberattack in 2016. The top threats causing these incidents were identified as malware and virus outbreaks (53 percent), targeted attacks (36 percent) and employee errors/unintentional actions (29 percent). The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Department of Homeland Security stated in its FY 2016 Annual Assessment Report that in 2016 it saw more successful exploitation attempts on the control systems of industrial systems than it has seen historically. Evgeny Goncharov, head of Kaspersky’s Critical Infrastructure Defense Department, stated that “the rise of cyber-threats to critical infrastructure indicates that ICS should be properly secured from malware both inside and outside the perimeter…[and] that according to [its] observations, the attacks almost always start with the weakest link in any protection—people.”
While it was once thought that ICS were somewhat impervious to cyberattacks because the computers used to operate them do not access the internet and are traditionally segregated from the company’s corporate network, that thought process is rapidly changing. In its State of Industrial Cybersecurity 2017 survey, Kaspersky Lab reported that significant risk to ICS still exists from other users that have access to both the internet and the ICS (e.g., systems and network administrators, compromised third-party vendors who connect to the network to support the ICS, and industrial system developers and integrators). Additionally, with the growing prevalence of the industrial Internet of Things, connected industrial devices, including smart ICS, have drastically increased the attack surface for hostile actors. In a study conducted by Project SHINE (SHodan Intelligence Extraction), an initiative that scanned the internet looking for SCADA and ICS devices, researchers found more than one million ICS devices directly connected to the internet and often lacking firewalls. Given that, it is no longer appropriate for organizations to dismiss ICS from their cyberthreat calculus.
Many of the most common information security defenses used by critical infrastructure enterprises to stave off cyberattacks are considered outdated, ineffective and not on par with the level of technological sophistication used by companies in their standard data protection efforts. Unlike traditional cyberattacks, where threat actors seek to steal a company’s sensitive data, critical infrastructure attacks are typically more sinister in nature and designed to damage a business’s core operations. Because of the severity of these attacks, companies must evaluate different mitigation approaches, which focus not only on ensuring business continuity, but also on the physical security of the public and the organization’s tangible assets.