On Dec. 23, the entire Ivano-Frankivsk region in Ukraine suffered a major power outage. According to security experts and the Ukrainian Government the attackers used a destructive variant of the popular BlackEnergy malware.
According to a Ukrainian media, the power outage was caused by a destructive malware that disconnected electrical substations. Experts speculate that the hackers targeted Ukrainian power authorities with a spear phishing campaign to spread the malware, leveraging Microsoft Office documents. The incident in Ukraine has refocused attention on the security of critical infrastructure worldwide.
Western infrastructure is a target for several kinds of “threat actors,” including nation-state hackers, cybercriminals, cyber terrorists and hacktivists. The Stuxnet case demonstrated the efficiency of modern cyber weapons - a malicious code spread in a virtual environment like cyberspace could put the lives of entire populations in danger.
Protection of critical infrastructure is a pillar of any government’s cyber strategy. The cyberspace is recognized as the fifth domain of warfare, and militaries across the globe are improving their capabilities in order to protect national assets from cyberattacks.
Related: 3 biggest security threats of 2016
According to the former chief of the National Security Agency, General Keith Alexander, electric grids, oil refineries and power plants are the biggest targets for cyberattack.
“The greatest risk is a catastrophic attack on the energy infrastructure. We are not prepared for that,” he reportedly said, during a private dinner held by IHS CERAWeek last year.
According to The Telegraph, the former NSA Chief listed five countries that have significant cyber-warfare capabilities - the U.S., U.K., Israel, Russia and Iran. China and North Korea are two other countries two countries significantly investing to improve their cyber capabilities.
When dealing with threat actors, we cannot ignore the menace represented by terrorist organizations. The recent dramatic escalation of terrorist attacks is an alarm bell. Security experts believe that too many countries are not prepared to handle cyberattacks, according to a recent report issued by the Nuclear Threat Initiative (NTI), a nonprofit, non-partisan organization with a mission to strengthen global security by reducing the risk of use and preventing the spread of nuclear, biological, and chemical weapons.
The third Nuclear Security Index published by the NTI evaluates the readiness of nations with regard to securing their atomic programs against targets and digital assaults. According to the 2016 NTI Index, while a few nations have found ways to secure atomic facilities against cyber assaults, many still don’t have the necessary laws and regulations in place.
Threat actors could be interested in targeting an atomic facility for a number of reasons, including sabotage and the burglary of atomic materials.
“For example, access control systems could be compromised, thus allowing the entry of unauthorized persons seeking to obtain nuclear material or to damage the facility,” says the NTI report . “Accounting systems could be manipulated so that the theft of material goes unnoticed. Reactor cooling systems could be deliberately disabled, resulting in a Fukushima-like disaster.”
The Nuclear Threat Initiative found that, of the 24 states with weapons-usable nuclear materials and the 23 states that have nuclear facilities but no weapons-usable nuclear materials, 13 receive a maximum score for cybersecurity: Australia, Belarus, Bulgaria, Canada, Finland, France, Hungary, the Netherlands, Russia, Switzerland, Taiwan, the U.K. and the U.S.
However, the report found that 20 states score 0 and lack even basic requirements to protect nuclear facilities from cyberattack. Worryingly, a number of the states that scored 0 have been extending their use of atomic energy.
Recently a number of countries have passed new laws and regulations to improve and upgrade cybersecurity requirements when dealing with the protection of critical infrastructures. The NTI Index took into account efforts by a number of governments, including the U.K., South Africa, Russia, France and Pakistan.
“Given the potential consequences, all states must work aggressively to ensure that their nuclear facilities are protected from cyber attacks,” the report said. “Governments should include the cyber threat within the national threat assessment for their nuclear facilities, and they should put in place a clear set of laws, regulations, standards, and licensing requirements for all nuclear facilities that require protection of digital systems from cyber attacks”.
“At the facility level, leadership must prioritize cybersecurity, determine potential consequences, and implement a program that ensures that digital assets and networks are characterized and secured and that the security is routinely tested,” the report added.
The same opinion is expressed in a survey conducted by the Chatham House think tank that analyzed cybersecurity at civil nuclear facilities. The study interviewed 30 industry practitioners, academics and policymakers from the U.K., Canada, the U.S., Ukraine, Russia, France, Germany and Japan.
The report found that the nuclear industry is falling behind other industries when facing cyber security despite rapidly evolving threats.
“The nuclear industry is beginning – but struggling – to come to grips with this new, insidious threat,” said Patricia Lewis, research director of Chatham House’s international security program.
Nuclear facilities worldwide have reached a high level of physical security and safety, but they are still open to cyberattacks despite steps taken recently by the International Atomic Energy Agency (IAEA).
Hackers target the core of civil nuclear facilities and other critical infrastructure - the SCADA systems and industrial control systems (ICS). Both SCADA and ICS are affected by numerous vulnerabilities that could be exploited at any moment by hackers.
Another myth worth dispelling is the safety of networks totally isolated from the Internet, so called “air-gapped networks.”
“Not only can air gaps be breached with nothing more than a flash drive but a number
of nuclear facilities have virtual private networks (VPN) or undocumented or forgotten connections, some installed by contractors,” the Chatham House report said, citing the example of Stuxnet. “The worm most likely spread initially when infected USB flash drives were introduced into these facilities.”
When dealing with technical challenges, “insecurity by design” is a major problem, according to the report, with patch management of industrial control systems an extremely complex activity. A patch, for example, could cause serious compatibility issues and, in the worst case scenario, deployment could result in downtime and compromise the operation of the entire facility.
“The nuclear industry as a whole needs to develop a more robust ambition to take the initiative in cyberspace and to fund the promotion and fostering of a culture of cyber security, determining investment priorities and ensuring that sufficient and sustained funding is allocated to effective responses to the challenge. It also needs to establish an international cyber security risk management strategy and encourage the free flow of information between all stakeholders,” Chatham House said in its report. “This will require the industry to develop appropriate mechanisms and coordinated plans of action to address the technical shortfalls identified, as well as to find the right balance between regulation and personal responsibility.”
Risk assessment is the most important challenge for operators of critical infrastructure - it is vital to accurately assess and measure the risks in order to have a clear idea of the security measure that must be adopted.
Underlining the importance of this issue, the World Economic Forum recently identified the very real threat posed by cyberattacks. Clearly, there’s no time to waste when it comes to protecting critical infrastructure.
Pierluigi Paganini is the author of the book “The Deep Dark Web” and founder of the Security Affairs blog.