This week’s news that malware caused a major blackout in the Ukraine last month has many on edge. The blackout affected hundreds of thousands of homes and shut down at least three regional Ukrainian utilities. The Ukrainian Security Service blamed Russia for the outages, and the attack raised concern that other countries could use similar tactics.
ESET, a Bratislava-based security software firm, studied samples of the malicious code and said the malware caused the blackout. This is reportedly the first proven malware-caused blackout.
Power generation facilities, metropolitan traffic control systems, water treatment systems and factories have all recently been targeted by attackers, according to Oded Gonda, a vice president of Network Security Products at Check Point, writing for ContinuityCentral.com. Perhaps the best known infrastructure attack was the Stuxnet attack on Iran’s nuclear facilities, discovered in 2010.
In 2008, a cyber attack caused a gas pipeline to explode in Turkey. At the time, the BP-owned Baku-Tbilisi-Ceyhan pipeline was thought to be one of the most secure pipelines in the world, yet hackers were able to use a wireless network to hack into the system controlling the pipeline and cause massive damage.
In 2014, the U.S. Department of Homeland Security announced it would investigate the possibility that the Havex Trojan had targeted industrial control systems compromising over 1,000 energy companies across Europe and North America.
In November 2014, NSA Director Navy Adm. Michael Rogers told the House Permanent Select Committee on Intelligence that a number of foreign governments had already managed to penetrate U.S. energy, water and fuel distribution systems.
A growing concern
Cyber attacks on critical infrastructure appear to be on the rise, and are a growing concern for organizations and governments across the globe.
“Vulnerabilities in these systems vary from basic issues, such as systems without passwords or with default-only passwords, to configuration issues and software bugs,” wrote Gonda. “But once an attacker is able to run software that has access to a controller, the likelihood of a successful, damaging, attack is high.”
According to an October 2015 report in CyberWarNews, “every bit of U.S. infrastructure – from power grids to dams to air and ground traffic control to water treatment plants and our financial institutions – are all accessible online. And while these systems are defended, some are still more vulnerable than others.”
Infrastructure attacks have the potential to severely impact service uptime, data integrity, compliance and even public safety, and require that organizations take steps to deal with these security concerns.
"The alarming aspect of this attack was that the infection vector that the malware was getting in was phishing mail with a malicious attachment, which is quite a trivial way to get in," said Robert Lipovsky, senior malware researcher at ESET. "It's alarming that it was so easy."
Tripwire recently conducted a survey of utilities about their cybersecurity efforts. Some 48% of U.S. utilities surveyed said they needed additional cyber protection. More than 20% said they “didn’t know.”
There are some efforts under way to improve vulnerabilities. A new set of cybersecurity standards from U.S. federal regulators will impose expanded requirements on U.S utilities, including stricter security regulations meant to help mitigate cybersecurity threats. Some of those regulations are due to go into effect in April.
CIOs can help protect their companies by ensuring they have solid business continuity, disaster recovery plans in place and practice aggressive cybersecurity measures.