perators of UK power generation and distribution facilities are being urged to bolster their defences against cyberattacks after the government issued a warning earlier this month and a joint advisory with US agencies on Monday.
The advisory, titled Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, was based on the National Cyber Security Centre’s (NCSC) work with the US FBI and Department of Homeland Security. In it, the agency said it has seen ongoing, widespread targeting of UK infrastructure by hostile state actors, focusing primarily on engineering and industrial control companies.
According to reports, these attacks have aimed to glean information needed to access critical infrastructure control systems using malware, spear phishing and login harvesting.
In an unprecedented move, the NCSC advised British critical infrastructure operators on how to respond to the threat, telling them to look carefully at devices with legacy unencrypted protocols or unauthenticated services, devices that had not been sufficiently ‘hardened’ before installation, and devices no longer supported with security patches by manufacturers or vendors.
The report also advised firms to update their passwords and IT software and to encrypt more information.
Cybersecurity firms also weighed in this week on the situation and what is needed. Marina Kidron, group leader at Skybox Security Research Lab, noted that “for sectors such as energy, manufacturing and utilities that rely on connected industrial control systems, there has been a steep increase (120 per cent) in vulnerabilities affecting these systems”.
According to Skybox’s Vulnerability and Threat Trends Report 2018, the kinds of operational technology (OT) networks used in power production and distribution are affected by both OT-specific and IT-specific vulnerabilities. It is not easy for operators to schedule OT device shutdowns for upgrades, and the human-machine interfaces (HMIs) overseeing the OT networks are often run on old, unpatched or no longer supported Windows machines.
“Such HMIs could be introducing a multitude of known and exploitable Windows vulnerabilities to an environment not built to the cybersecurity standards of corporate IT networks,” Skybox said, while “even vulnerabilities within the corporate network could be used to infiltrate the OT environment, as 81 per cent of organizations use wireless connections between their IT and OT networks.”
The firm found that in 2017, almost 200 new OT-specific vulnerabilities were published, affecting multiple vendors including Siemens, Schneider Electric, Moxa, Rockwell and others.
Azeem Aleem, director of Advanced Cyber Defence Practice EMEA at RSA Security, warned that cybersecurity “is often more complex within [critical infrastructure] environments”.
“Firstly, it is only in recent years that old manual systems have been ‘digitized’ and connected,” he said. “For years prior the whole focus has been on physical security, which means these companies are often years behind those in banking and retail.”
Aleem advised companies to “face these challenges head on, and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualizing results with business context in order to prioritize events.
“Critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. They are unable to correlate security events to specific business outcomes — a problem we call the ‘Gap of Grief’. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible, as patching systems without proper testing could actually cause more damage.”
Piers Wilson, head of product management at Huntsman Security, pointed to an additional problem — the skills gap. He said the increased cyber risk was “made possible in part because of a lack of qualified security personnel and historic underinvestment”.
“Within two years there will be over 1.5 million security jobs unfilled globally, meaning that there simply aren’t enough resources in the UK to cope with the growing threats facing our critical infrastructure,” he said.
“Before the digital era, it was relatively simple to prevent and stop attacks, but now it’s much harder. There’s often no easy way to block all of these potential threats at the perimeter, and trying to do so will just result in security analysts becoming overwhelmed by the sheer volume of probes and false positives that mask real issues.
“Organizations must accept that traditional defences — firewalls, anti-virus etc — are simply not enough and emphasis needs to shift away from just blocking attackers to intelligent and rapid detection, containment and mitigation as soon as an attack begins. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems — sorting real threats from the background noise of systems and network operation; freeing up security analysts to deal with the real problems as quickly and efficiently as possible.
“In the digital age, everyone — from the government and critical infrastructure organizations to businesses and charities — needs to accept that they can’t stop every attack at the boundary. Shifting focus will help to keep them and the rest of the UK safe.”