The importance of protecting infrastructures has dramatically increased in recent years. Critical infrastructures (CIs) include those physical resources, services, and information technology facilities, networks, and infrastructure assets which, if disrupted or destroyed, would have a severe impact on the health, safety, security, or economic well-being of citizens or the efficient functioning of governments and/or economies. These categories comprise utility infrastructure (water, gas, fuel, electricity, transportation, communication), banking and financial services, and food supply, etc. With the advent of the digital age and the IoT, these CIs become interrelated, interconnected, and even more accessible, both for legitimate users and for adversaries. Protecting the digital access to these CIs now has a special focus: cyber security.
Critical Infrastructure Cyber Security Challenges
In the past decade, the cyber security threat to critical infrastructure is on the rise. We have witnessed a broad range of attacks, utilizing different levels of attackers’ skills, from experienced hackers to state-backed campaigns. The large, and ever-growing percentage of attacks carried out by nations, suggests a following paraphrase to Clausewitz’s famous wording – “Cyber War is the continuation of politics by other means, when governments don’t wish to exert brute force”.
The first known attack on critical infrastructure was carried out on a Turkish oil pipeline that mysteriously caught fire without triggering any sensors or alarms. Although Kurdish separatists claimed the attack, a number of U.S. intelligence officials credit Russia, which was opposed to the Baku-Tbilisi-Ceyhan pipeline, since it bypassed Russian territory, eliminating their ability to control the oil flow.
The next attack, Stuxnet was discovered in 2010 after it had degraded an estimated 1,000 centrifuges in Iran’s Natanz uranium enrichment plant. Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect computers but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors, to decelerate Iran’s nuclear program. One of the drivers of the Stuxnet malware was signed by Realtek, fooling the users to believe it’s a legitimate software. Stuxnet became the paradigm shift of the industry’s understanding of the cyber security risks associated with critical infrastructure.
A more recent attack, carried out on Christmas eve 2015 against the Ukrainian power grid, succeeded to blackout a quarter for up to 6 hours. The hackers carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault. The attack begun with a spear-phishing campaign that targeted IT staff, infecting the OT network with BlackEnergy malware, and in later stage, a DDoS attack on the call center so that nobody could call-in to notify the regional utilities of the powe r down. Ukraine was quick to point the finger at Russia for the assault, as part of the political conflict between the states over Crimea annexation.
Critical infrastructure is facing a broad range of technological, operational and regulatory challenges, unparalleled in the IT realm:
- ICS/SCADA vulnerabilities – the plurality of various SCADA (Supervisory Control and Data Acquisition) protocols, part standardized and part proprietary (that haven’t undergone a rigorous peer reviews and pen testing), are filled with long known vulnerabilities such as memory corruption, credential management issues and code injection issues. Moreover, these protocols often do not address security at all, such as lack of authentication & command authorization. As a result, these protocols are easily corrupted, whether by malicious intent or by accident.
- Aging infrastructure – utilities networks operate legacy equipment filled with well-known security vulnerabilities, while the extremely long patch cycles (up to several years) and replacement cycles (reaching up 50 years in some utilities) don’t alleviate the problem.
- Limited Security Awareness – of basic enterprise cyber-security leave these networks in a particularly vulnerable state.
- Inefficient Segmentation – The equipment is interconnected via IP networks with Internet access, making it open to cyber security attacks. Failure to segment the enterprise IT network from the operational network (OT) effectively allows cyber threats to reach the operational networks via the enterprise.
- Cyber Security Regulation Compliance – NERC CIP V6 and the Cybersecurity National Action Plan (CNAP) are setting regulations to enhance utility and CI security and resilience. The Council of European Energy Regulators (CEER) is the voice of Europe’s national regulators of electricity and gas at EU and international level. Utilities are of great concern in particular, and are now being highly regulated.
- Industrial IoT and Connected Homes – manufacturing, energy, hospitals, water treatment, farms and transportation – along with consumers in their connected homes – all see tremendous benefits in being connected. However, the unprecedented opportunities that Smart Grid connectivity brings, such as vastly improved operational efficiencies, come bundled with many new types of risks, and especially – cyber threats. (Learn how to Secure Keys and Credentials on IoT Devices)
Financial Institutions Facing Cyber Threats
When thinking about critical infrastructure, we typically imagine power, water, oil & gas utilities. However, it’s often overlooked that financial institutions are also fundamental to our lives, to the extent that we cannot live without them. They are the lifeline of the world economy. It is a complex landscape of actors, including stakeholders, regulatory agencies, financial service providers, and the communication networks linking them. Therefore, this system is considered as a critical infrastructure of our society and has to be protected from cyber-attacks.
The financial system is quintessential to the proper functioning of a modern national and global economy. It comprises many entities that interact with each other to provide financial services that are the lifeline of the world economy. It is a complex landscape of actors, including stakeholders, regulatory agencies, financial service providers, and the communication networks linking them. Therefore, this system is considered as a critical infrastructure of our society and has to be protected from cyber-attacks.
The financial system is built on a set of promises between people and institutions. If these promises are no longer trustworthy, the whole house of cards will collapse and people will take their money and run. That panic behavior happened in 2008 due to the subprime mortgage crisis, but the same could unfold via a sophisticated cyber-attack. Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure. If such systemic institutions were compromised, dismay could quickly spread.
Armageddon for banks could take the form of an attack prepared over several months and then carried out over a day or two of mayhem. In this scenario, the motive would be to cause maximum instability, something that worries regulators more than a simple theft. A belligerent nation could attempt to use a digital-crafted weapon to cause economic chaos by crashing their enemy’s stock market, as a preemptive attack or retaliation, since these attacks are at such a level that they can only carried out by nation states.
Rather than hacking into an individual bank, the assailants might aim straight at the heart of global finance by choosing as their target parts of its essential “financial-market infrastructure” (FMI), such as clearing houses or payments systems. Because plenty can go wrong between the promise of a payment (i.e. writing a check or making a digital transaction) and its actual settlement (the money arriving into the bank account of the seller), clearing houses are located in the middle of transactions to process them and insulate both sides against credit risk. If a major FMI is breached, it can turn from a source of market stability into a source of contagion. An attack on such systems could quickly have systemic consequences if it leads to wayward flows of money. Central banks would soon become involved: without a speedy intervention, private banks could become insolvent.
Today, out of all the money we globally use, only 3% is in the form of cash in circulation. The other 97% exist only in digital form, and due to a cyber-attack, it might be impossible to draw this money out of the ATM. If people would not have a way to pay for the necessities (like food and water), society will collapse.
Since cyber-attacks on various types of critical infrastructure pose a national threat, the state is responsible to regulate their protection. We see a major increase in the regulation on these bodies, and a positive shift to an industry wide threat sharing which improves the work of the response teams and the overall cyber security posture of critical infrastructure.