Two years ago, a survey of security experts conducted by Intel Security and the Aspen Institute revealed how experts feared that a cyber-attack on critical infrastructure was very likely.
Then in 2016, cyber-criminals struck, causing a widespread power outage in parts of Ukraine during the night before Christmas.
Researchers at ESET and Dragos Inc have warned that Industroyer, the malware used by cyber-criminals, is ‘capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.’
“The potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well,” noted Anton Cherapanov, a security researcher at ESET.
The fact that similar industrial communication protocols are used by power grids in many countries means that hackers can target multiple targets using the same warheads. What’s worse is that such protocols are used by governments to regulate not only power distribution but water and gas distribution as well.
“Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for the security of critical systems around the world,” Cherapanov warned.
As it turns out, Industroyer wasn’t the first malware to have successfully brought down a country’s infrastructure to its knees. Back in 2009, The United States and Israel reportedly attacked an Iranian nuclear enrichment facility to destroy centrifuges by using a malware code-named ‘Stuxnet’.
Even in the UK, critical national infrastructure, including the National Grid, are routinely targeted by cyber-attacks and energy firms in the country are fighting “ongoing, constant, relentless wars” along with the GCHQ.
“There are, at National Grid, people of very high quality who recognize the risks that these attacks pose, and who are fighting them off, but we can’t expect them to win forever,” said James Arbuthnot, a member of the UK Parliament’s Defense Select Committee in 2015.
Earlier this year, a Kaspersky Labs research revealed that as many as 40% of all industrial control systems (ICS) and critical infrastructure faced at least one cyber-attack in the last six months of 2016. The report also stated that while 17% of industrial computers were targeted by July of last year, the percentage grew to 24% by December.
“Exploitation of software vulnerabilities in enterprise industrial networks, particularly critical infrastructure objects, can lead to disastrous consequences. Finding and eliminating these vulnerabilities, in addition to developing more advanced industrial solutions and specialized security tools, is a top-priority task for security experts,” noted researchers at Kaspersky Labs.
The researchers expressed their displeasure with the ‘approach of industrial software vendors to closing vulnerabilities and the situation with fixing known vulnerabilities at enterprises.’ While malware attacks are becoming increasingly sophisticated and damaging, known vulnerabilities continue to remain and the general belief that a system can be protected by disconnecting it from the internet is far from the truth.
“The emergence of large-scale malicious campaigns targeting industrial enterprises indicates that black hats see this area as promising. This is a serious challenge for the entire community of industrial automation system developers, owners and operators of such systems, and security vendors. We are still remarkably languid and slow-moving in most cases, which is fraught with dangers under the circumstances,” they concluded.