What Industrial Organisations Can Learn From Nation-State Cyber Attacks

Uploaded on 2024-10-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May 2023, Denmark faced one of the most extensive cyber-attacks against its critical infrastructure to date, compromising 22 companies operating in its energy sector. 

While cyberattacks on infrastructure happen every day, the Danish case was notable for its high level of preparation. “The attackers knew in advance who they were going to target and got it right every time,” noted SektorCert, Denmark’s cybersecurity centre for the critical sectors, pointing at the likely involvement of foreign state actors.

The attack exploited a vulnerability in firewalls manufactured by the Taiwanese company Zyxel, which is widely used to protect critical infrastructure in the country.

This large-scale attack raises two questions: What would a successful cyber-attack against a country look like, and how can organisations in critical sectors avoid becoming collateral damage in geopolitical conflicts?

The Risk of a High-Impact, Low-Frequency Attack 

Organisations in critical sectors are no strangers to cyber threats. In 2022, TrendMicro found that 89% of electricity companies and 88% of oil and gas companies had experienced a cyber-attack that affected production in the past twelve months. 

However, a coordinated attack by a foreign state can exhibit levels of patience and sophistication that few cybercriminals can afford.

The attack against Denmark is sometimes referred to as a HILF, for High Intensity, Low Frequency: leveraging a custom-made malware or an unknown vulnerability to infiltrate multiple actors, sometimes over the course of several years, then disrupt operations in a coordinated way for maximum impact.

Russia is far from the only state building that capability: the Chinese cyber operation Volt Typhoon, for example, has targeted critical sectors in several Western countries since at least 2021. Found in more than 50 power plants in the United States alone, it uses tactics to persist and evade detection for extended periods, leaving China with the theoretical capability to disrupt operations in essential sectors like energy, transportation, and water systems.

Power Plants, Transportation and Utilities on the Front Line

These sectors have several commonalities that make them high-value targets for a large-scale cyberattack. Energy, transportation and utilities all operate in networks: managing to shut down a few strategic facilities, such as power plants, refineries or electric substations, can have a rapid domino effect on large swaths of the country’s economy. 

In addition, these sectors also depend on legacy technologies and systems coupled with numerous industrial control systems (ICS) that are challenging to map, inventory and protect. State-affiliated actors have been known to develop malware that specifically aims at these systems: Russia’s CHERNOVITE group, for example, is known to use an ICS malware framework targeting the power and natural gas sectors. 

Infiltrating OT Systems to Cause Physical Disruptions

To achieve physical consequences from a cyber-attack, a key objective is to infiltrate Operational Technology (OT) systems - the hardware and software responsible for controlling and monitoring industrial equipment and processes. 

Threat actors can then attempt to disrupt operations in a number of ways, such as triggering equipment malfunctions, disabling controls, or overloading critical infrastructure. In recent years, hackers have used these tactics to attempt to poison drinking water in Florida and California and force shutdowns of oil refineries.

These OT systems have increasingly become a cybersecurity battleground. According to a March 2024 report by cybersecurity firm Palo Alto, “3 out of 4 organisations state they have experienced a cyberattack on their OT environment, with most experiencing frequent attacks.” Reports indicate that OT cyberattacks have surged by 50% in the past year.

These attacks exploit the fact that OT environments are inherently less secure. Often conceived without cybersecurity in mind due to their historical separation from IT networks and the Internet, many industrial devices lack basic security measures and controls, like passwords or multi-factor authentication. However, companies increasingly connect OT systems to the organisation’s IT networks for integration with other enterprise solutions and for benefits like asset optimisation, predictive maintenance, and advanced analytics, making these systems more exposed and vulnerable. 

Inventory and Patching Challenges Increase Cyber Risk

This interconnectedness means that attacks can start in one environment and move to another: a vulnerability exploited in the IT network can give attackers a pathway into OT environments if proper visibility and inventory controls are lacking.

The complexity has only increased as the number of devices in a company’s network has skyrocketed. Employees now connect from multiple terminals, and industrial sites host thousands of sensors and connected devices. Companies often struggle to keep track of all these devices and the software or firmware they use—an issue that applies not just to industrial systems but also to IT environments, which are often seen as more "mature" from a cybersecurity perspective.

Another complication for ICS is patching. While patching may not always be the most effective control for OT environments, it remains a valuable security measure. Yet, the process is often slowed down and made inefficient by low visibility and the need for vendor approvals.

For example, among EU companies in critical sectors, one in seven (13.5%) has no visibility over the patching of most of their assets. Additionally, because these sectors operate 24/7, over half (54%) of these organisations report that it takes more than a month to patch a known vulnerability, leaving gaps that attackers can exploit.
Raising Cyber Defences

Western nations are increasingly mandating stronger cybersecurity measures for critical sectors. In the EU, the NIS2 Directive, which must be adopted this month, imposes strict cybersecurity requirements on 18 critical sectors, including state-of-the-art practices, risk management, rapid incident reporting, and regular security assessments.

However, these regulations outline end goals rather than specific strategies, leaving companies to take decisive action to protect their operational technologies.

An effective approach to risk management should include asset visibility, vulnerability management, and configuration management. While risk can never be fully eliminated, organisations can mitigate it by focusing on the most critical issues and allocating resources where they will have the greatest impact. A shift from task-based execution to a risk-based strategy ensures operations remain safe, profitable, and secure without unnecessary disruptions.

Without a clear understanding of the OT assets within the organisation—how they are connected and communicating—it's impossible to assess the attack surface, develop adequate vulnerability management, or defend against sophisticated attacks. This enhanced visibility allows for two critical actions: automating inventory processes to eliminate blind spots and reducing risk by reviewing accessible assets and cross-referencing them with vulnerability databases, such as the NIST's National Vulnerability Database. While no database is perfect or always up to date, these sources - when properly enhanced - are valuable tools for prioritising mitigation efforts.

A robust cybersecurity strategy must also go beyond detecting intrusions or malware. State-affiliated actors are known to use legitimate tools that can evade detection for years and exploit insiders, including complicit employees.

Detecting configuration changes is essential to mitigating these risks. Broader measures, such as configuration management, policy enforcement, and regular audits, can help catch these threats before they can be exploited by malicious actors.

Edgardo Moreno is Executive Industry Consultant in Asset Lifecycle Intelligence Division at Hexagon

Image: pixabay

You Might Also Read:

Industrial Operating Technology Faces An Urgent Challenge:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Trump Campaign A Target For Attacks From China
2024 US Presidential Election Cyber Intrusion: Part 5 - Cybercrime Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

RSA Security

RSA Security

RSA provide cybersecurity products for Threat Detection and Response, Identity and Access Management, Governance, Risk and Compliance, and Fraud Prevention.

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

National Defense Industry Association (NDIA)

National Defense Industry Association (NDIA)

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

PECB

PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards in a range of areas including Information Security and Risk Management.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Intelligent Waves

Intelligent Waves

Intelligent Waves holds and manages contracts to provide an array of intelligence, operational, communications and IT support to the USG in austere, forward-deployed, hazardous duty environments.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

Hellenic Accreditation System (ESYD)

Hellenic Accreditation System (ESYD)

ESYD is the national accreditation body for Greece. The directory of members provides details of organisations offering certification services for ISO 27001.

IT Career Switch

IT Career Switch

An IT Career Switch Traineeship is the easiest way to start a new career in IT or Cybersecurity with fantastic career prospects.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

Caveonix

Caveonix

Caveonix’s RiskForesight TM solution is an automated, proactive risk and compliance platform designed for hybrid and multi-cloud.

SECFORCE

SECFORCE

SECFORCE is a leading information security consultancy specialising in bespoke penetration testing and red team engagements.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Alias Robotics

Alias Robotics

Alias Robotics is a robot cyber security company. We deliver cyber security solutions for robots and robot components.

PCS Security (PCSS)

PCS Security (PCSS)

PCS Security provides secure, reliable and state-of-the-art security solutions to help our customers address their security concerns.