By Daniel Bren, CEO & Co-Founder
Over just ten recent days, we’ve witnessed no less than three significant OT security events that impact critical infrastructure. Collectively, these incidents are a ‘perfect cyber storm’ – encompassing the real-world legal, policy, production, and business risks facing the OT networks of critical infrastructure companies in general, and energy companies in particular. These companies are consistently targeted and thus require continuous risk assessment, monitoring, mitigation, and management. Today, even more than ever, fuel, oil, and energy prices are at play in the Russia-Ukraine conflict and impacted by known and still unknown supply-chain vulnerabilities.
On March 24, the U.S. Department of Justice made public two criminal indictments filed last year against alleged nation-state actors; specifically, charging three Russian military officers and an employee at the Russian Ministry of Defense’s leading research organization. The defendants are accused of hacking hundreds of critical infrastructure companies and organizations on behalf of the Russian government. These far-reaching attacks allegedly happened between 2012-2018 and targeted thousands of computers across 135 countries.
In some cases, these nation-state defendants allegedly engaged in malicious activities that posed serious risks to supply chain vulnerability. This is due to their accused hacking of devices and networks at critical infrastructure and energy companies. Using 'Havex' malware packages, one indictment maintains, enabled them "to install backdoor access to compromised devices and networks." The defendants are also accused of exploiting security software vulnerabilities that allowed them to remotely run unauthorized programs on the victims' devices and networks.
In theory, this could make the defendants capable of controlling production and/or shutting down business operations. The potential threat this creates to supply chains, and the impact upon the public and businesses who depend upon energy and critical infrastructure is enormous.
According to the indictment, a nuclear power plant in Kansas was among those that three defendants successfully targeted, compromising its ICS and SCADA systems software and hardware. The charges maintain that the attackers’ array of targets also included scores of oil and gas firms, utilities, and power transmission companies.
This alleged seven-year span of ongoing global cyber attacks against critical infrastructure by nation-state actors — a significant number which were successful — is a warning for the energy and utility industries to proactively safeguard their operational technology.
President Biden’s promise last week that the U.S. will boost liquefied natural gas (LNG) shipments to help Europe reduce its reliance on Russian energy is sure to increase threat exposure for U.S. energy companies. In North America and abroad, these companies may face heightened risks of cyber attacks against their converged OT/IT/IIoT systems and networks.
Such risks from state-sponsored or private actors stand to impact production operations and business continuity. Oil and gas companies need to be vigilant in protecting their production operations and businesses.
Finally, U.S. President Biden signed the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” into law on March 15, 2022. The new law requires critical infrastructure operators to report cyber security incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS), and report ransomware payments within 24 hours.
This means that critical infrastructure entities will need to adjust their security posture and risk for cyber attacks and related ransomware demands. Their best option would be to move from of threat detection and remediation strategy to a risk management approach, enabling them to proactively reduce the risk of production shutdowns and support business continuity.
Nation-states and private hacking organizations have critical infrastructure and energy companies in their crosshairs. Mitigating risk to industrial digital and cyber security is crucial in the face of continually-escalating threats.
One of the best ways for critical infrastructure to deal with emerging threats from cyber war spillovers and direct cyber-attacks by nation-states or bad actors is to address basic cyber hygiene.
That means taking a proactive approach when assessing OT security risks: assess OT network visibility, analyze exposures, and mitigate those risks.
Securing energy and critical infrastructure networks demands a different type of approach to digital and cyber security. Critical infrastructure operators and government agencies are becoming more aware of the need for attack mitigation tools that were designed and built from the ground up for OT ecosystems, with operational processes and business continuity as their number one priority.
If you’d like to learn more, I invite you to visit OTORIO’s website for additional insights from our OT Digital and Cyber Security experts.