Malicious actors are targeting critical infrastructure
Just like global warning, this fact cannot be overcome by burying your head in the sand. Some rather malevolent groups out there are targeting critical infrastructure and we are not doing enough to prepare.
Two years on from the Ukrainian power grid hack, where hackers got control of Ukraine’s power grid, plunging thousands of homes and establishments in dark for hours. We are no more prepared today to tackle hacker groups targeting critical infrastructure.
The Ukrainian power grid is just one example of the rising number of critical facilities and industrial networks coming under attack across a wide range of industries. Many of these attacks are not specifically targeted at industrial networks, explains Galina Antova, CEO of OT security supplier Claroty. “The industrial networks have been affected by some of the ransomware attacks out there. They were not necessarily targeting the industrial networks, but ended up impacting the industrial networks nonetheless.”
WannaCry, a particularly virulent strain of ransomware—software that encrypts victims’ networks and holds them for ransom—caused widespread harm when it struck in May. Older networks—many of which are industrial networks—are particularly vulnerable to attack. Chocolate maker Mondelez International was one of several manufacturers reporting revenue lost to ransomware in 2017.
Part of what has made these attacks so effective is that cyber criminals now have access to more sophisticated tools than ever before, Antova says. “It’s the first time in history that non-nation-state actors have access to nation-state capabilities,” she says. Following an August 2016 attack on the U.S. National Security Agency (NSA), hackers have distributed tools developed by the spy agency through the digital underground. “Now you’ve got the ultimate weapon; you’ve got a nation-state weapon.”
FERC Proposes Updates to Critical Infrastructure Protection Standards for Cybersecurity
The Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM), suggesting updates to the Critical Infrastructure Protection (CIP) Reliability Standard governing cybersecurity management controls for bulk electric system (BES) assets, called CIP-003. The CIP program is a collection of standards designed to address the security of the bulk power system.
“Over the last decade NERC CIP regulations have helped propel cybersecurity programs for large scale power producers forward. The move to expand to low impact operators is therefore not a surprise, and should be welcomed. Edgard Capdevielle, CEO at Nozomi Networks commented..
“That said, it’s a common adage in the industry that regulations alone do not ensure cybersecurity, but what it does is ensure the issue is elevated which generates awareness amongst top management. In tandem, guidelines can also fuel the basics of a cybersecurity program and many power producers have used these regulations as a foundation for their own cybersecurity programs.
“In recent years we have seen grid security surge forward, perhaps in spite of regulation, as resilience is recognized as essential to all those operating the grid. Fortunately for power system operators of all sizes, new technology innovations are giving operators the tools to rapidly identify and mitigate cybersecurity threats to the systems that operate power generation and distribution.”
President Trump’s nominee to lead the Department of Homeland Security, Kirstjen Nielsen, testified Wednesday that cyberattacks are the greatest threat to U.S. national security, and would be the organization’s primary focus if she were confirmed to lead the department.
“Each aspect of the department’s mission is important and as has been mentioned, there are many,” Nielsen told the Senate Homeland Security Committee Wednesday morning. “I believe one of the most significant for our nation’s future is cybersecurity and the overall security and resilience of our nation’s critical infrastructure.”
Many countries are looking to take the lead from the US, but so far there has not been a coordinated response to state-sponsored or others targeting critical infrastructure. Maybe that is about to change?