What Industrial Organisations Can Learn From Nation-State Cyber Attacks

Uploaded on 2024-10-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May 2023, Denmark faced one of the most extensive cyber-attacks against its critical infrastructure to date, compromising 22 companies operating in its energy sector. 

While cyberattacks on infrastructure happen every day, the Danish case was notable for its high level of preparation. “The attackers knew in advance who they were going to target and got it right every time,” noted SektorCert, Denmark’s cybersecurity centre for the critical sectors, pointing at the likely involvement of foreign state actors.

The attack exploited a vulnerability in firewalls manufactured by the Taiwanese company Zyxel, which is widely used to protect critical infrastructure in the country.

This large-scale attack raises two questions: What would a successful cyber-attack against a country look like, and how can organisations in critical sectors avoid becoming collateral damage in geopolitical conflicts?

The Risk of a High-Impact, Low-Frequency Attack 

Organisations in critical sectors are no strangers to cyber threats. In 2022, TrendMicro found that 89% of electricity companies and 88% of oil and gas companies had experienced a cyber-attack that affected production in the past twelve months. 

However, a coordinated attack by a foreign state can exhibit levels of patience and sophistication that few cybercriminals can afford.

The attack against Denmark is sometimes referred to as a HILF, for High Intensity, Low Frequency: leveraging a custom-made malware or an unknown vulnerability to infiltrate multiple actors, sometimes over the course of several years, then disrupt operations in a coordinated way for maximum impact.

Russia is far from the only state building that capability: the Chinese cyber operation Volt Typhoon, for example, has targeted critical sectors in several Western countries since at least 2021. Found in more than 50 power plants in the United States alone, it uses tactics to persist and evade detection for extended periods, leaving China with the theoretical capability to disrupt operations in essential sectors like energy, transportation, and water systems.

Power Plants, Transportation and Utilities on the Front Line

These sectors have several commonalities that make them high-value targets for a large-scale cyberattack. Energy, transportation and utilities all operate in networks: managing to shut down a few strategic facilities, such as power plants, refineries or electric substations, can have a rapid domino effect on large swaths of the country’s economy. 

In addition, these sectors also depend on legacy technologies and systems coupled with numerous industrial control systems (ICS) that are challenging to map, inventory and protect. State-affiliated actors have been known to develop malware that specifically aims at these systems: Russia’s CHERNOVITE group, for example, is known to use an ICS malware framework targeting the power and natural gas sectors. 

Infiltrating OT Systems to Cause Physical Disruptions

To achieve physical consequences from a cyber-attack, a key objective is to infiltrate Operational Technology (OT) systems - the hardware and software responsible for controlling and monitoring industrial equipment and processes. 

Threat actors can then attempt to disrupt operations in a number of ways, such as triggering equipment malfunctions, disabling controls, or overloading critical infrastructure. In recent years, hackers have used these tactics to attempt to poison drinking water in Florida and California and force shutdowns of oil refineries.

These OT systems have increasingly become a cybersecurity battleground. According to a March 2024 report by cybersecurity firm Palo Alto, “3 out of 4 organisations state they have experienced a cyberattack on their OT environment, with most experiencing frequent attacks.” Reports indicate that OT cyberattacks have surged by 50% in the past year.

These attacks exploit the fact that OT environments are inherently less secure. Often conceived without cybersecurity in mind due to their historical separation from IT networks and the Internet, many industrial devices lack basic security measures and controls, like passwords or multi-factor authentication. However, companies increasingly connect OT systems to the organisation’s IT networks for integration with other enterprise solutions and for benefits like asset optimisation, predictive maintenance, and advanced analytics, making these systems more exposed and vulnerable. 

Inventory and Patching Challenges Increase Cyber Risk

This interconnectedness means that attacks can start in one environment and move to another: a vulnerability exploited in the IT network can give attackers a pathway into OT environments if proper visibility and inventory controls are lacking.

The complexity has only increased as the number of devices in a company’s network has skyrocketed. Employees now connect from multiple terminals, and industrial sites host thousands of sensors and connected devices. Companies often struggle to keep track of all these devices and the software or firmware they use—an issue that applies not just to industrial systems but also to IT environments, which are often seen as more "mature" from a cybersecurity perspective.

Another complication for ICS is patching. While patching may not always be the most effective control for OT environments, it remains a valuable security measure. Yet, the process is often slowed down and made inefficient by low visibility and the need for vendor approvals.

For example, among EU companies in critical sectors, one in seven (13.5%) has no visibility over the patching of most of their assets. Additionally, because these sectors operate 24/7, over half (54%) of these organisations report that it takes more than a month to patch a known vulnerability, leaving gaps that attackers can exploit.
Raising Cyber Defences

Western nations are increasingly mandating stronger cybersecurity measures for critical sectors. In the EU, the NIS2 Directive, which must be adopted this month, imposes strict cybersecurity requirements on 18 critical sectors, including state-of-the-art practices, risk management, rapid incident reporting, and regular security assessments.

However, these regulations outline end goals rather than specific strategies, leaving companies to take decisive action to protect their operational technologies.

An effective approach to risk management should include asset visibility, vulnerability management, and configuration management. While risk can never be fully eliminated, organisations can mitigate it by focusing on the most critical issues and allocating resources where they will have the greatest impact. A shift from task-based execution to a risk-based strategy ensures operations remain safe, profitable, and secure without unnecessary disruptions.

Without a clear understanding of the OT assets within the organisation—how they are connected and communicating—it's impossible to assess the attack surface, develop adequate vulnerability management, or defend against sophisticated attacks. This enhanced visibility allows for two critical actions: automating inventory processes to eliminate blind spots and reducing risk by reviewing accessible assets and cross-referencing them with vulnerability databases, such as the NIST's National Vulnerability Database. While no database is perfect or always up to date, these sources - when properly enhanced - are valuable tools for prioritising mitigation efforts.

A robust cybersecurity strategy must also go beyond detecting intrusions or malware. State-affiliated actors are known to use legitimate tools that can evade detection for years and exploit insiders, including complicit employees.

Detecting configuration changes is essential to mitigating these risks. Broader measures, such as configuration management, policy enforcement, and regular audits, can help catch these threats before they can be exploited by malicious actors.

Edgardo Moreno is Executive Industry Consultant in Asset Lifecycle Intelligence Division at Hexagon

Image: pixabay

You Might Also Read:

Industrial Operating Technology Faces An Urgent Challenge:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Trump Campaign A Target For Attacks From China
2024 US Presidential Election Cyber Intrusion: Part 5 - Cybercrime Threats »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NSFOCUS Information Technology

NSFOCUS Information Technology

NSFOCUS is a global service provider and enterprise DDoS mitigation solution provider.

Internet Security Alliance (ISA)

Internet Security Alliance (ISA)

ISA is an international trade association providing thought leadership in advancing a sustainable system of cyber security.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

Electric Imp

Electric Imp

Electric Imp offers an innovative and powerful Internet of Things platform that securely connects devices with advanced cloud computing resources.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

SWAT Systems

SWAT Systems

SWAT Systems is an IT support and cyber security managed service provider.

MOXFIVE

MOXFIVE

MOXFIVE is a specialized technical advisory firm founded to bring clarity to the complexity of cyber attacks.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

Lavabit

Lavabit

Lavabit's Dark Internet Mail Environment is a secure, open-source, secure end-to-end communications platform for asynchronous messaging across the internet.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

Integris

Integris

Integris offers best-in-class services like dedicated vCIOs, specialized security and compliance advisory services, a 24/7 help desk, and more.

European Union Agency for Network and Information Security (ENISA)

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.

ANY.RUN

ANY.RUN

ANY.RUN is an interactive online malware analysis service created for dynamic as well as static research of multiple types of cyber threats.

Post-Quantum Cryptography Alliance (PQCA)

Post-Quantum Cryptography Alliance (PQCA)

The alliance seeks to address cryptographic security challenges posed by quantum computing by producing high-assurance software implementations of standardized algorithms.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.