One of the most prized targets for threat actors is critical national infrastructure (CNI), systems that are vital to the functioning of an entire country and which keep the world economy afloat. This includes energy grids, telecommunications networks, and water infrastructure, all of which must face down the ever-present threat of devastating cyber attacks.
UK and US authorities recently warned that pro-Russian hacktivists have been targeting vulnerable, small-scale industrial control systems (ICS) in North America and Europe. Investigations identified attackers are capable of techniques that pose physical threats against insecure and misconfigured operational technology (OT) environments authorities said.
Attacks on CNI such as energy and water firms are nothing new. Since the first large-scale attack on Iranian nuclear centrifuges, known as Stuxnet, adversaries have been increasingly targeting ICS systems and vulnerable OT-based infrastructure.
In 2021, the US oil system Colonial Pipeline was hit by a ransomware cyber-attack that impacted the computerized equipment managing it. During the same year, adversaries breached a water treatment plant in Florida.
Successful breaches against CNI pose such a threat because they cause physical damage and potentially impact lives on a national or international scale. That’s why they have become part of the hybrid warfare arsenal of hostile state-sponsored attackers such as China, Russia, Iran, and North Korea. So, what is the threat to CNI organizations and how can risks be mitigated?
Why critical national infrastructure is so difficult to protect
The risks to CNI span multiple vectors, depending on the nature of the company. The greatest physical risk is to companies in sectors such as energy generation, which may rely on supervisory control and data acquisition (SCADA) systems. These are sophisticated control systems for complex machinery found in plants such as factories, oil pipelines, or even space stations, which in some cases were not designed to be connected to the internet.
CNI organizations relying heavily on these outdated legacy systems can prove fruitful targets for attackers. Designed without security in mind, antiquated infrastructure often lacks the capability for vulnerability patches or straightforward upgrades, leaving them exposed to modern cyber threats, says Stephen Kines, COO at Goldilock.
The nature of the systems makes downtime difficult to schedule, as critical services can rarely be safely switched off. This leaves organizations with no option but to add on, “resulting in an incredibly complex combination of legacy and modern systems to secure and maintain”, Kines says.
SCADA systems used in CNI infrastructures often interface with other IT systems, creating entry points for attackers, says Yuval Wollman, president at CyberProof. “These systems rely on outdated technologies with well-known vulnerabilities that are challenging to patch or update.”
Adversaries can move laterally from IT to OT, for example infecting IT workstations on the local area network (LAN) means they can discover ICS control workstations, says Pierre Guiho, product manager at Gatewatcher. “They then target ICS equipment, impacting production or even attempting to destroy production capabilities.”
Other risks can arise when CNI firms rely on third-party vendors or suppliers for critical components or services, Wollman says. “This can introduce risks such as supply chain attacks or disruptions.”
Who is attacking critical national infrastructure?
For some adversaries more than others, CNI is an attractive target. Attackers fall into two groups: opportunistic and state-sponsored, says Richard Sorosina, chief technical security officer EMEA and APAC, Qualys.
“The opportunistic attacks tend to aim at standard applications and systems that CNI organizations have in place. The state-linked groups are more targeted and go after larger systems, and they have the skills, expertise and resources to carry out those attacks over time.”
Currently, governments are reporting nation-state actors are behind many of the attacks against CNI facilities, says James McQuiggan, security awareness advocate at KnowBe4. “They work to gain a hold on these systems but do not act until they are needed. They know legacy systems may not be updated and are easier to exploit and gain access to.”
Russia, China, and Iran are particularly active at the moment. At the end of 2023, the Washington Post reported that US officials had linked the Chinese military had hacked into the system of about two dozen critical entities over the past year, including a water utility in Hawaii, a major West Coast port, and the Texas power grid.
Iranian threat group Cyber Av3ngers also targets critical infrastructure, particularly SCADA systems. “They have caused disruption to railway systems and water treatment companies including one in Pennsylvania,” says Steve Knibbs, director of Vodafone Business Security Enhanced.
Russia-based Sandworm has claimed responsibility for attacks on US and European water plants. “One attack caused tanks to overflow, so the attack had real-world impact and consequences,” Knibbs says.
International cooperation against attacks
Governments have recognized the need to protect CNI and for this reason, various pieces of regulation have been imposed around the world. In the EU, security is covered by the Directive on Resilience of Critical Infrastructure, adopted in 2020, and the Network and Information Security 2 (NIS2) Directive.
Within the US, the Critical Infrastructure Security Agency (CISA) overseen by the Department of Homeland Security, plays a key role in ensuring organizations are aware of the threats coming from nation-states, including CNI-based attacks.
There is also growing international cooperation around cyber security, with countries engaging in international collaboration to address transnational cyber threats and share intelligence, says Wollman.
As well as regulations, the UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework so organizations that come under CNI can measure and assess their security posture and make improvements as needed.
As the threat increases, there is always more that can be done to protect CNI. The only way to defeat persistent threats is by investing in controlling physical connections and using network segmentation, says Kines. “It is key to implement an industry standard that ensures network ports, systems and devices are kept offline until they are needed. This will ensure CNI leaders have control over all aspects of an organization’s systems, no matter how extensive or outdated.”
Asset owners and operators can make “a huge difference” to their cyber security posture by investing in “just a handful of areas”, says Mark Graham, principal adversary hunter and technical director at Dragos. He says the SANS Five Critical Controls for ICS/OT Cybersecurity is “a great starting point to bolster defensive measures, readiness and response”.
Overall, CNI security requires a risk-based approach that prioritizes the biggest and most serious problems first, says Sorosina. “This will put the effort where needed, so all organizations involved in CNI can ensure their systems are resilient and able to withstand targeted attacks.”