Security researchers have long shared their concerns about potential cyberattacks on critical infrastructure systems. Over the past few weeks, there have been several reports highlighting the dangers of such attacks. According to the New York Times, investigators believe that a cyberattack against a petrochemical plant in Saudi Arabia in August last year was intended to not only sabotage the plant’s operations but also cause an explosion that could have killed people. The only thing that reportedly prevented the explosion was a mistake in the computer code used by the attackers. Experts believe that a nation-state attacker was responsible, given that there was no obvious financial motivation from the attack. Also this month, the US accused Russia of a wide-ranging cyber-assault on its energy grid and other parts of its critical infrastructure, with many of the reported tactics resembling the Dragonfly 2.0 campaign, in which hackers infiltrated energy facilities in North America and Europe.
We are at an alarming point in terms of our critical infrastructure security, where governments around the world are on high alert to the potential for damaging attacks. The head of the UK’s National Cyber Security Centre (NCSC) warned in January that he expects the UK to suffer a major, crippling cyberattack against its national critical infrastructure during the next two years.
Nation state attackers are well aware of the political fallout that could arise as a result of dangerous cyberattacks on control networks, and so it is imperative that security issues within these systems are addressed urgently.
Industrial control systems at risk
The National Cyber Security Centre is right to be concerned about potential cyberattacks against UK critical infrastructure. Across all parts of critical national infrastructure, we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking, it is alleged, to cause everything from mischief through to political upheaval. While offering many benefits in terms of productivity and visibility, the greater connectivity arising from the Internet of Things has also exposed many industrial control systems to a range of damaging cyberattacks. For example, DDoS attacks can be used to disrupt the availability of critical services, while simultaneously allowing attackers to plant damaging, or as in the Saudi case even weaponized, malware. Last October’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyberattacks to impact people’s access to essential services. The current cyber security landscape has changed almost beyond recognition – ten years ago, only the most Orwellian futurists would have predicted that major national elections would be manipulated by cyberattacks.
The pressure is now on for the cyber security community and governments to act on this issue to defend against this apparent increase in nation state attacks. The NIS Directive with the UK/EU and the NIST framework in the US present a golden opportunity to improve critical infrastructure cyber security. But to be truly effective, these regulations must compel operators of essential services to deliver higher levels of cyber security and require that these essential services remain available during an attack. As seen in recent days with Facebook and Cambridge Analytica, it won’t matter if infrastructure operators claim ‘tick-box’ regulatory compliance as their defence if their essential service has failed to remain open for business during a nation state sponsored cyber-attack.
To find out more, contact us.