Before the recent natural disasters, I could describe to you how we as a community might recover after a cyberattack to our critical infrastructure, but it would be hard to imagine. Some may argue that it would be too extreme of a scenario to consider and that we would never get to the point where we had to prioritize which lives to save because there is not enough gas in the generator to provide power in an operating room to operate on two patients. However, with the earthquakes and hurricanes in recent months the scenario is no longer fictional — we are now able to see what it would be like to be without critical infrastructure.
This reality has been played out on our screens — of people collecting water from natural springs, preparing food over an open fire, and communicating with AM radio or (if you’re lucky) satellite phone. We can see for ourselves how without operational critical infrastructure, daily conveniences of everyday necessities as we know them would be gone. Could the loss of critical infrastructure across a nation feasibly occur? Or would it take only major hubs of water, gas and electricity to be attacked for life as we know it to be set back 30 years before we can imagine that?
Critical infrastructure cyberattacks go back as far as 1982. The first notable attack was the “Farewell Dossier” by the CIA against the Soviet Union. While this attack remains unconfirmed, it has been written about. And cyberattacks across public and private sectors continue to increase. In 2016, multi-vector attacks increased by 322 percent from 2015. How does this impact attacks against critical infrastructure? Since it has become easier to execute attacks against the private and public sector, an attack at the infrastructure level becomes more attractive especially to nation state actors. Critical Infrastructure sectors have historically been known to be slow to patch vulnerabilities and update technology. Because of these characteristics we can see the progression of critical infrastructure attacks when we look back at the past three years.
In 2014, Stuxnet made the public aware of the reality of critical infrastructure cyberattacks by a nation state. Stuxnet would also be one of the earliest examples of an IoT attack where the programmable logic controllers that connected to the system were infected. The following year an attack of the Western Ukraine electrical grid left 230,000 people without power for six hours. The root of the attack was the firmware that was overwritten across substations. By overtaking the supervisory control and data acquisition (SCADA) system the attack disabled remote operation of the substations. Other SCADA attacks occurred across Europe shortly after.
In the US on October 21, 2016, the Mirai botnet executed a DDoS attack. Comprised of 45,000 IoT bots it successfully brought down DYN, the domain provider. It impacted mainly the east coast DNS service, leaving several internet services we use as part of our everyday life (Twitter, PayPal, and others) inaccessible.
The attack was eventually resolved on the east coast, but similar attacks were later noted in parts of the west coast and Europe. Besides the websites and web services that were affected, Verizon Communications services from broadband to cell phone were also crippled, limiting the means of communication for the east coast of the US. Several groups claimed responsibility, but no one to date has been confirmed as the true attacker. Communications is defined as a “lifeline” component of critical infrastructure by the US Department of Homeland Security.
This year the systems of the National Health Services (NHS) in the United Kingdom were crippled by a WannaCry ransomware attack affecting all systems including telephones. Surgeries and medical appointments across Britain and Scotland were cancelled. The staff was forced to use private mobile phones, pen and paper, and accept only emergency patients. This could have been prevented if the systems had been up to date with OS patches to their systems. Over 300,000 computers globally were infected by the same ransomware virus, which is believed to have spread via email. The public health security is also a considered a “lifeline” component of critical infrastructure.
The Role of IoT in Critical Infrastructure
Research continues to better understand the IoT devices that may be vulnerable to the Brickerbot, the denial-of-service botnet. Brickerbot has already successfully “bricked” 5,000 IoT devices at an unnamed university in the US. The spread of this bot into government organizations could have irreversible major impacts in all areas of critical infrastructure.
The growing concerns in the advancement of critical infrastructure cyberattacks are that they may lead to the contamination of the water supply, loss of power across major cities causing everything from ATMs to traffic lights to go dark. An additional concern is that this may ultimately impact branches of the military and our national security. As demonstrated by the NHS attack, the malicious email campaign started in the private sector and spread across into the public sector. Therefore, both the private and the public sectors need to work together to successfully prevent a major attack.
Securing Critical Infrastructure Through Partnership
In the US the National Infrastructure Advisory Council (NIAC), a department of the DHS, advises on counterterrorism. The NIAC provides guidance to the Secretary of Homeland Security on the security of the critical infrastructure sectors. In August this year the NIAC published the report Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure. The council outlined findings from interviewing cybersecurity industry experts, acknowledging that the private sector is in the frontlines of defense for infrastructure in the US. The overall theme of the report focused on the collaboration between public and private sectors to discuss, investigate, and take action on areas of critical infrastructure that are targets for a cyberattack.
Notable highlights of the NIAC report included:
- Establishing separate secure communication networks
- Forming a joint task force comprised of public and private industry experts from communications, financial, and electrical power sectors.
- Creating a shared platform between private and public sector to share cyber threat information
How to Build a Secure IoT Platform
The IoT presents an emerging and significant risk to communications and infrastructure platforms. There are several layers that need to be protected to prevent threat actors from intercepting and misusing data in IoT platforms. In the private and public sector, protecting the web app or the platform that communicates with the devices at the end points is critical. With customers relying on availability, data privacy and service integrity, platform security is indispensable for businesses.
- The IoT platform needs to be highly available so its devices can connect and perform their tasks. An unplanned downtime for medical device companies can be very disruptive and dangerous. What happens if your medical device cannot connect to the platform?
- The data exchanged between IoT devices and its platform needs to be secure. Data and privacy breaches are getting more frequent as threat actors target personal data through attacks on web and mobile phone cameras and appliances.
- The apps need to be secured so no one can manipulate devices to do malicious things. Breaches in extreme situations in connected automobiles can include hackers taking over the control of a car by hacking into the geolocation app.
Security solutions that help companies protect the platform and devices they communicate with can add the first and critical layer of protection. Their primary goal is to shield IoT platforms from any kind of external threat that may impact availability, data integrity or control.
To find out more about how to protect IoT platforms against attacks, read our blog post and see how the following threats can be blocked:
- DDoS attacks
- Web threats
- Data theft
- Automation and bots
Protecting critical infrastructure involves policies and security at a granular level. It starts with private- and public-sector collaboration supported by protecting the controls and platform for the infrastructure runs on.