Under threat

Daily headlines evidence that critical national infrastructure organizations face unprecedented cyber challenges, with the last 12 months particularly brutal as cyber defences fell. In February this year KP Foods was forced to cease operations after also falling victim to a ransomware attack. In May this year, agricultural equipment giant AGCO says its business operations had been impacted after falling victim to a ransomware attack. And the organization itself doesn’t have to be affected as a cyberattack on a supplier can be just as damaging as Toyota experienced in March this year when it had to stop production following a cyberattack against Kojima Industries that supplies it with plastic parts and electronic components.

These incidents are not isolated and the threat is increasing. In fact, speaking at a cybersecurity conference, Infosecurity Europe, at the end of June [2022] Marsha Quallo-Wright, deputy director for critical national infrastructure at the National Cyber Security Centre (NCSC), said that the impact of a ransomware attack to critical infrastructure means that this attack vector is “potentially as harmful as state-sponsored attacks.” Of course, it’s not just ransomware that poses a threat as highlighted by the Department for Digital, Culture, Media & Sport (DCMS). In its policy paper titled ‘2022 cyber security incentives and regulation review’ it said: ‘For every highly sophisticated hostile state attack such as SolarWinds, there are hundreds of low-level phishing, denial of service, and ransomware attacks.’

How can critical infrastructure operators adequately defend themselves from these persistent threats?

Connectivity introduces risks
Today’s economic background has driven the need for efficiency and resiliency, resulting in massive transformation and an increased reliance on technical automation and connectivity. As illustration, when we consider food production, this is a highly competitive sector where cost is a dominating factor and waste can cripple a business. For the automotive industry, the drive to move from fossil fuels to more sustainable and green power is forcing innovation and a redesign of production lines.

To enable this evolution requires digital transformation to create new business models and ecosystems, deliver new products and services and operate more efficiently in the digital economy. Critical infrastructure typically relies upon operational technology (OT) used to control physical devices. However these systems are increasingly connected and even controlled by IT systems.

Physical devices and systems of all types – from corporate conference systems to power grids – are now network connected and programmable. New digital compute platforms and development shifts such as cloud, mobile, SaaS and DevOps have made it possible to move from concept to capability on a daily basis.

While digital transformation delivers immense benefits, it also hugely expands the attack surface organizations have to defend. And attackers have capitalized on these converged networks to move laterally from one system to another, making the compromise of just one device dangerous with an attack on an IT system rendering OT systems inoperable.

Addressing attack paths
The harsh truth is that the vast majority of attacks are preventable. Threat actors rely on leveraging unpatched, legacy vulnerabilities across a wide spectrum of software solutions to infiltrate organizations. In the case of ransomware, research from Tenable’s Security Response Team determined that over 30 known but unpatched vulnerabilities were leveraged by Conti (a ransomware gang) and its affiliates alone. Addressing these flaws would dramatically reduce the number of attack paths threat actors can exploit.

To do this requires a holistic view of both IT and OT environments, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. When it comes to our physical OT environments, there are a myriad of hidden systems, tucked away in a closet or hidden under a desk, that were temporarily installed, promptly forgotten, and left under protected.

Once a holistic viewpoint is established, the next step is to identify what would cause theoretical versus practical damage. From this stance steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations, to nullify attacks.

Knowing where to start can seem insurmountable, but there are a number of resources at hand. The UK’s NCSC published a joint cybersecurity advisory (CSA) with key cyber agencies in Australia, Canada, New Zealand and the United States that underscores a key trend regarding the most routinely exploited vulnerabilities.

The reason advisories and guidance are vital for organizations is it provides strong intelligence about which threats bad actors are actively exploiting.

If organizations fix these flaws, the vast majority of attack paths will be closed off, preventing compromise, malware infiltration and/or exfiltration of data. You can’t operate with your eyes closed!

For a list of the sources used in this article, please contact the editor

Bernard Montel
Bernard Montel is EMEA security strategist and technical director at Tenable, the Cyber Exposure company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies.
www.tenable.com