Cyber threats have dramatically developed throughout the years. From simple worms to viruses, and finally to advanced Trojan horses and malware. But the forms of these threats are not the only things that have evolved. Attacks are targeting a wider range of platforms. They have moved from the PC to the Mobile world, and are beginning to target IoT connected devices and cars. The news has been filled recently with attacks on critical infrastructure, causing the blackout in Ukraine, and the manipulation of “Kemuri Water treatment Company“ water flow.
This threat can no longer be ignored. Critical infrastructure organizations such as power utility and water are critical, and ought to be protected accordingly. Certain governments are starting to realize that cyberattacks can, in fact, affect critical infrastructure. As a result, they have recently issued regulations to enhance their standard defenses.
The cyber threat world is big and extensive—to fully understand the scope of threats to nationwide critical infrastructures, here are a few insights and perspectives based on our vast and longstanding experience in the cyber world.
Top three critical infrastructure threat vectors
Industrial Control Systems (ICS) are vulnerable in three main areas:
- IT network.
- Insider threat (intentional or unintentional).
- Equipment and software.
Attacking through the IT network
ICS usually operate on a separate network, called OT (Operational Technology). OT networks normally require a connection to the organization’s corporate network (IT) for operation and management. Attackers gain access to ICS networks by first infiltrating the organization’s IT systems (as seen in the Ukraine case), and use that “foot in the door” as a way into the OT network. The initial infection of the IT system is not different than any other cyberattack we witness on a daily basis. This can be achieved using a wide array of methods, such as spear phishing, malicious URLs, drive-by attacks and many more.
Once an attacker has successfully set foot in the IT network, they will turn their focus on lateral movement. Their main objective is to find a bridge that can provide access to the OT network and “hop” onto it. These bridges may not be properly secured in some networks, which can compromise the critical infrastructures they are connected to.
The threat within
Traditional insider threats exist in IT networks as well as in OT networks. Organizations have begun protecting themselves against such threats, especially after high profile attacks such as the Target hack or Home Depot (and the list is continuously growing). In OT however, the threat is increased. Similar to IT networks, insiders can intentionally breach OT networks with graver consequences. In addition to this “regular” threat, there is the unintentional insider threat. Unlike IT networks, OT networks are usually flat with little or no segmentation, and SCADA systems have outdated software versions that go unpatched regularly.
Unwitting users often inadvertently create security breaches, either to simplify technical procedures or by unknowingly changing crucial settings that disable security. The bottom line remains the same either way: the network that controls the critical infrastructure is left exposed to attacks. This is proven time and again as one can easily encounter networks that were connected to the internet by accident.
Meddling with critical components
The last avenue that endangers ICS is tampering with either the equipment or its software. There are several ways to execute such an operation:
- Intervening with the equipment’s production. An attacker can insert malicious code into the PLC (Programmable Logic Controller) or HMI (Human Machine Interface) which are the last logical links before the machine itself.
- Intercepting the equipment during its shipment and injecting malicious code into it.
- Tampering with the software updates of the equipment by initiating a Man in The Middle attack, for example.
So, how can we protect our Critical Infrastructure?
To fully protect any critical infrastructure, whether it is an oil refinery, nuclear reactor or an electric power plant, all three attack vectors must be addressed. It is not enough to secure the organization’s IT to ensure the security of the production floor. A multi-layered security strategy is needed to protect critical infrastructures against evolving threats and advanced attacks. Check Point offers not only a full worldview of the problems critical infrastructures are facing, but also a comprehensive solution to protect them.