As we have discussed in recent articles, the threat landscape is constantly evolving with far more sophisticated hackers finding creative ways to infiltrate networks – networks that increasingly include access to key operational assets.
According to a public release, U.K. power administrator Elexon experienced a cyber-attack on May 14. Since Elexon is not part of the real time physical flow of electricity from power stations to consumer, the attack did not impact the power supply.
Elexon’s role is to calculate the volumes of electricity produced by power stations and sold by electricity Suppliers and compare these to what those organizations contracted to produce or to sell and apply a charge for any differences. Elexon also calculates, collects and distributes payments to Contract for Difference generators and Capacity Market providers. Both sets of calculations occur on systems and in environments totally separate from those impacted by this incident and which continue to work as normal.
While this attack did not ultimately impact the utility’s operational technology, it should serve as a spotlight on the growing threat organizations face as IT and OT environments converge to form truly digital environments. Had hackers found their way into operational technology, the impact could have been been disastrous ranging from holding a key utility hostage using ransomware to disabling safeguard controls on a nuclear plant to cause a catastrophic reactor meltdown.
Tempered CEO Jeff Hussey tells IndustryWeek, "Critical infrastructure – from the electrical grid, fresh and wastewater treatment plants, and oil and gas distribution to industrial control systems and smart cities – has vulnerabilities which pose enormous cyber risk to operators and the communities they serve. Those risks can be seen firsthand in the recent cyberattack on the UK’s electrical system. Traditionally, these networks have been physically separated or air-gapped, but digital transformation has made securing and managing these legacy networks remotely very difficult," he says.
"Fortunately, state-of-the-art secure networking solutions are now available that make networks invisible to external threats while enabling secure connectivity across physical, virtual, and cloud platforms and preventing these types of attacks. These solutions leverage wired, cellular and Wi-Fi networks to enable secure remote management of critical infrastructure while maintaining standards compliance," says Hussey. "These solutions not only eliminate network-based attacks, but they also reduce the cost and complexity required to effectively manage critical infrastructure for governments, utilities, and IoT applications.”
"We've recently seen a rise in geopolitical tensions, as the U.K. and U.S. governments warn of nation-state attacks targeting critical COVID-19 research, vaccine data, medical facilities and even building companies behind hospital projects," said Exabeam’s Trevor Daughney. "We can't know for sure at this time, but could this attack also be aimed at undermining public confidence in government during this pandemic?"
Critical infrastructure is particularly vulnerable because while IT must ensure that data is secure, it’s more important for OT to be up and running, explains Daughney. “These control networks and devices are generally legacy systems running on older operating systems and are also rather fragile. Even a vulnerability scan has been known to break a PLC or void a warranty -- there is a delicate balance between system design and the often understaffed team needed to protect it. And this is likely exacerbated by the current climate,” he says.
The fact is these systems were never designed with security in mind, they were designed simply to work. “To help secure and run these systems, plants then try to fill the staffing and expertise gap by relying on third-party partners, thereby increasing the insider risk,” says Daughney. “Traditional security management approaches cannot effectively address modern threats to critical infrastructure, leaving companies unable to detect or respond to them immediately because of problems with data, intelligence, and expertise.”
Bottom line, industrial operations need to embrace a new approach to address “the urgency for unlimited logging without data volume-pricing so that critical infrastructure organizations can get all the data they need for analysis and enable new levels of monitoring through behavioral analytics,” says Daughney. “This approach uses all of the ingested data points to baseline normal behavior for all users and machines in an entire critical infrastructure environment, allowing IT professionals to quickly identify any behavior that is anomalous and/or risky.”