Cyberwar isn’t just coming to the West. It’s already here.
On May 10, the U.S. and European governments formally declared that Russia’s invasion of Ukraine began with a state-sponsored cyberattack on critical communications infrastructure—an attack that spilled over from Ukraine to satellite internet networks throughout Europe. It is a foretaste of disruptions on a global scale, officials have warned, with critical infrastructure like utilities, food production, and emergency services at risk.
In fact, there’s strong evidence that these kinds of attacks have already begun.
A number of wind-power companies fueling Germany’s rapid transition away from Russian energy have recently experienced cyberattacks that took some systems offline. Off the record, Western governments assigned blame on Russian military intelligence services for an alarming hack that disabled Viasat, a major satellite company based in California that Ukraine, wind-energy utilities, and many other European companies use for internet service.
Nation-state attacks on critical infrastructure predate the war, of course. The North American Electric Reliability Corporation (NERC) found a 170 percent increase in ransomware activity targeting power companies from 2019 to 2020. And on a recent episode of 60 Minutes, Jen Easterly, director of the Cybersecurity
and Infrastructure Security Agency (CISA), said that Russia is
almost certainly planning to attack U.S. infrastructure directly,
and that organizations—and all of us—need to brace ourselves for the inevitable.
Is a cyber doomsday on the horizon, where state-sponsored hackers shut down utilities en masse and leave people sitting in the dark? While it may not be time to panic, experts agree it’s time to ramp up precautions, pronto.
Energy grids, critical infrastructure: ripe for a cyberattack
One energy client recently shared with Tyler Costello, regional vice president of sales for Tanium, that it had seen a 40% increase in malicious cyber activity over the previous year. “But their security budget didn’t increase by 40%,” Costello says. “And they can’t raise money the way a private entity does, because they’re heavily regulated. There are a bunch of variables in place that make utilities particularly ripe for a cyberattack.”
Among the energy grid’s top weaknesses is the mammoth size of the attack surface. “There’s a greater reliance on operational technology [OT] than there ever has been before,” says Kenneth Mendelson, senior managing director of the national security practice of Guidepost Solutions, a global security investigations, compliance, and consulting organization. Internet of things (IoT) sensors are now commonplace in manufacturing, utilities, and other critical infrastructure operations, but their security remains patchy.
Critical infrastructure is in the crosshairs right now. We’ve got to really pay attention to this.
Weak industrial SCADA (supervisory control and data acquisition) systems also manage everything from power generation to pipelines. They were initially designed to be self-contained—in part because there was no internet at the time—but they’ve been thrust into the digital age, whether they were ready or not. The systems remain vulnerable to sometimes even primitive attacks and represent some of the most fundamental vulnerabilities facing infrastructure companies today.
One of the most noteworthy attacks on SCADA systems took place in 2015 in, of all places, Ukraine, where an attacker disrupted an electrical generation system and knocked out power to 225,000 homes in the dead of winter. There was nothing particularly unique about the Ukrainian infrastructure that made this possible. Experts have noted that this methodology could certainly be repeated in other countries.
The 2015 Ukraine attack was the first publicly documented takedown of an electrical grid, but it wasn’t the last time a utility has been victimized. Water utilities have been breached, and the Colonial Pipeline debacle, which shut down fuel supplies across the U.S., continues to have a strong impact one year after the hack. In a Siemens survey from 2019, 56% of utilities said they had faced a cyberattack in the previous year.
“Critical infrastructure is in the crosshairs right now,” says Costello. “It’s particularly scary because they’re known to be weak. Russia could very easily take down New York City, or Boston, or somewhere else. We’ve got to really pay attention to this.”
Cyberwarfare experts warn: “This is happening”
The good news is that organizations in the U.S., in particular, have taken a keen interest in infrastructure security, imposing regulations and stiff fines for critical infrastructure providers that fail to comply with increasingly tight security standards. NERC, a nongovernmental “self-regulatory organization,” can fine bulk electric providers that fail to meet standards up to $1 million per violation per day. The current record for a penalty dates to 2019, when a fine of $10 million was levied against an unknown regional utility—purportedly Duke Energy—for 127 separate regulatory violations.
“Another thing that’s changed is that there is now a resource that didn’t exist previously: CISA,” says Mendelson of Guidepost Solutions. “This is one of the greatest resources available to every organization facing these threats. They provide not just a summary of each new threat, but also suggestions for mitigation, links to patches, and more. Every information security operator should bookmark [its website], because it’s incredibly useful and timely.”
This is one of the greatest resources available to every organization facing these threats.
Costello concurs: “CISA’s Shields Up initiative is really waking people up. People are finally shifting from ‘This is going to happen’ to ‘This
Practicing good cyber hygiene
Some of the best tactical advice about protecting critical infrastructure involves foundational cyber hygiene work. “Inventory everything connected to your network,” says Mendelson, “because you can’t secure what you can’t see.” He also recommends isolating SCADA devices from the corporate network. Sloppy design can lead to network segmentation and firewalls that are improperly set up. He adds: “Many people think they are offline when they’re actually not.”
The hack of the Oldsmar, Fla., water treatment plant is an example of a break-in that could have been prevented with better cyber hygiene. Even though systems were in place to prevent catastrophe, the breach had the potential to poison thousands of people with high levels of lye, the main ingredient in liquid drain cleaner.
“[Oldsmar] was an example of improper isolation of data communications and weak authentication from the water plant control room out to the internet,” says Bill Moore, CEO and founder of Xona Systems, which focuses on OT security. The Oldsmar facility did not employ multifactor authentication, compounding the problem. In an analysis, CISA said Windows TeamViewer software based on the widely used remote desktop protocol (RDP) was a critical weakness that allowed hackers to infiltrate the treatment plant. Moore notes that RDP is the top weakness that ransomware attacks exploit to this day.
Lowering cyber risk through better infrastructure
One ambitious solution is to rethink the way the world approaches infrastructure altogether. Riggs Eckelberry is CEO and founder of OriginClear, a technology startup that is looking to disrupt the water industry. OriginClear’s offering includes a futures market, an as-a-service platform, and small, prefabricated, modular water treatment systems for companies that want to ensure dedicated water supplies. Its goal is to make “do-it-yourself” water and liberate consumers from the aging, vulnerable utility grid.
“There are major problems in the water industry,” says Eckelberry. “The old, centralized model is falling apart and is underfunded by the federal government. Cyber fragility is very real.”
For Eckelberry, decentralization is one answer to cyber risk, because it spreads the attack surface across potentially hundreds of thousands of much smaller, less critical facilities. If a node goes down, the damage is contained. In addition, he says, these systems are being designed with security from the start rather than relying on upgrades to a patchwork of ancient SCADA code.
Eckelberry says that the concept of utility independence isn’t new. Consider how rooftop solar, battery storage, and even rainwater collection systems have given consumers a heightened level of security in a world in which blackouts and water rationing are on
That said, any single solution is looking increasingly like a stopgap. The problems are “massive” in the utility sector, according to Costello of Tanium, including legacy systems, scattered devices, and resource constraints. “And then they’ve got the Russians barreling down on them,” he says. “They’ve been using their fingers and toes to plug the dike, but they’re running out of fingers and toes.”