- Russian hackers have been probing the internet systems of critical infrastructure providers and the energy sector in particular has seen an increase in distributed denial of service attacks this summer, according to business analytics and security service Netscout.
- The activity associated with Russia's military was revealed in May notifications sent to hacking victims by the Federal Bureau of Investigation, and was first reported on by Wired. The cyber campaign is thought to be ongoing. Then in July, the National Security Agency issued a warning regarding threats to operational technology (OT) and industrial control systems (ICS).
- The threat to ICS and OT networks is growing and could impact critical operations, say experts. More than 70% of ICS vulnerabilities disclosed in the first half of 2020 can be exploited remotely, according to a new report by cybersecurity firm Claroty.
Two disturbing pieces of cybersecurity news highlight the ongoing threat faced by critical infrastructure providers, and in particular energy delivery companies.
“The energy sector will always be a valuable target because of the potential impact it has on such a basic service that all of us rely on," Claroty Vice President of Research Amir Preminger said in an email.
Tying together the FBI and the NSA alerts, "we can see that there is a rise in attempts to infiltrate or bring down ICS devices in energy," Preminger said.
Claroty's report on control system vulnerabilities and the ability to access them remotely comes from its assessment of 365 ICS vulnerabilities published by the National Vulnerability Database and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team in the first half of the year.
The ability for hackers to remotely exploit ICS vulnerabilities has been exacerbated by the shift to a remote workforce and the increased reliance on remote access to ICS networks in response to the COVID-19 pandemic, according to Claroty's research.
It is widely known that there are many ICS devices publicly accessible, Preminger said. "The only thing a hacker needs to do is to scan through all of those devices and find one that is misconfigured (without security settings enabled if it exists) or has a vulnerability that enables the attacker to exploit it remotely," he said.
Boston-based security firm Cybereason has created fake industrial control networks to gauge the activity of hackers. The firm says its "honeypot" operations show cyber criminals often attack the networks within hours or days of being set up.
And intruders are increasingly finding ways to move from IT networks into the OT space, according to Cybereason Chief Information Security Officer Israel Barak. In particular, they are seeking networks or machines that have shared access between information technology systems and the control systems which actually operate critical equipment.
"Some of these criminal actors have a playbook that targets industrial control systems," Barak said. "They have a playbook for moving from IT to OT networks."
While hackers' approach to pivoting from IT to OT networks may not be sophisticated, Barak said the very fact that they have a strategy for attempting this "means they've probably been doing it."
But there is some good news. Operational networks are complicated and sensitive, said Barak, potentially limiting the impact a hacker can have. "It takes a certain degree of expertise to operate them. ... If a criminal actor gains access to an electric generation facility, there's no reason to think they have any training on how to operate that facility."
Still, the opportunity for cyber intrusions is weighted to the attacker, according to Claroty's research.
"The big task for an adversary is to find one hole in the defense, while the work of a defender is to find and protect every possible hole in the entire perimeter," said Preminger.
"It only takes one mistake to give the adversary the access required to get into the OT network," Preminger said. "Once the attacker is in, we can see that he will probably meet old unpatched equipment or invest and find new vulnerabilities to use.”