Critical infrastructure organisations use a special kind of technology for controlling operations, with most of these systems regarded as sensors, Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Operational Technology (OT) is the sweeping catch-all for everything relating to these critical systems, and it lies at the operational heart of our power plants, warehouses, production lines and water treatment plants – and many more essential systems we need for everyday life.
In the past, OT systems were usually insulated from remote cyber threats due to network isolation, but things are rapidly changing, increasing the risks these critical infrastructure providers must manage. Digital transformation programmes and cost-cutting exercises, along with a push for IT/OT convergence, OT system owners are increasingly asked to integrate their systems and workforce with the IT side of the house.
Convergence, on paper, sounds great. It saves money, cross-skills staff and pushes technology management to a central service delivery model, providing better support to both environments. There is a problem, though, and it’s one that shouldn’t be ignored. Integration comes with exposure to the same threats and adversaries that enterprise security teams have faced since IT systems were first used. This is a phenomenon that has escalated in complexity and sophistication, and with the current global security situation, we are seeing huge volumes of OT attacks, with nation-state backing, targeting a broad selection of critical infrastructure providers.
Attacking Critical Systems
What is critical infrastructure? In Australia, the category is broad and includes everything from energy production to water treatment, transportation systems and education. Essential services like these are increasingly interconnected and dependent on what is known as cyber-physical systems (CPS), with 83% of critical infrastructure providers saying their systems suffered cyberattacks over the past three years.
For years, nation-state adversaries have been targeting Australian infrastructure, attacking both public and private organisations with ransomware and other malware. The Australian Cyber Security Centre (ACSC) has repeatedly warned about this escalation and has even gone as far as naming the provenance of some of these attacks.
Most worrisome – the stuff of thrillers – is the possibility of attacks on nuclear power stations and other dangerous targets where the potential for harm is greatest. Yet, the pace of change in critical infrastructure systems is such that they are not immune to being pushed through digital transformation programmes, high-risk as they are.
Most worrisome is the possibility of attacks on nuclear power stations and other dangerous targets where the potential for harm is greatest.
Take the following documented attacks on nuclear power over the past decade as some examples of where attackers have been targeting these high risk systems:
- Ukraine (2017): In 2017 the Petya/NotPetya ransomware attack caused significant disruption across various industries in Ukraine and other countries. Ukraine’s Chernobyl nuclear power plant was affected, leading to offline radiation monitoring systems. While the plant was not directly compromised, the incident showed the potential risks malware attacks on nuclear facilities posed.
- United States (2016): A report from the U.S. Department of Homeland Security and the FBI indicated an intrusion attempt targeted engineers and employees with access to control systems at nuclear power plants. The report did not specify which facilities were targeted or whether they were successful. Yet, it did underscore that these threats to nuclear power are real.
- South Korea (2014): South Korea’s nuclear power plant operator, Korea Hydro & Nuclear Power Co., suffered a successful cyber-attack in 2014. Non-critical data was stolen, but the power plant’s blueprints were leaked online. While no direct harm came from this hack, the breach raised serious concerns about critical infrastructure security. And who knows what those blueprints could be used for in the future?
Why Are OT Systems Less Secure?
OT systems are often less secure than the traditional IT side of businesses because they combine new technologies with legacy systems and communications protocols, exposing those systems to sophisticated adversaries. We’ve seen how the rise in popularity of autonomous Internet of Things devices (IoT devices) introduces millions of new attack vectors, and these devices are making their way into both the IT and OT sides of the enterprise. Even replacement devices for older technologies, such as sensors, actuators, valves, etc. which were once simple devices, are now being made smart. And with smart comes software, and with the software comes vulnerability.
Additionally, ICS and SCADA systems have been historically designed for functionality (and availability) rather than security. Hostile nations can leverage these vulnerabilities, potentially lurking dormant within our OT networks for months or years until they decide to exploit them.
In May 2021, the Colonial Pipeline ransomware attack disrupted fuel supply across numerous states in America, creating panic and chaos. This was one such attack that had massive consequences.
Supply Chain Threats
Buying components from potentially hostile nations, for implementation in our own OT networks, is not at all a new issue. It is however only in recent years, that we see governments come forward banning the sale and purchase of components produced by some large overseas manufacturers for use in critical infrastructure. For example, Chinese suppliers have become increasingly blocked by their own government, particularly in areas related to critical infrastructure, to allow the government access to their business. While there have been specific examples that were troubling, the broader underlying concerns include potential espionage, sabotage, and the possible introduction of backdoors into new products. The geopolitical tensions further complicate these concerns, leading to scrutiny and scepticism towards Chinese technology in critical infrastructure domains. The same scrutiny extends to other hostile nation-states, where government overreach and control over businesses is rife.
Learning from Global Incidents
Australia needs to take cues from the global landscape to protect its critical infrastructure. Collaboration among industries and strict adherence to standards, guidelines and frameworks are imperative, but more needs to be done. Managed service providers need to extend their capabilities in monitoring, detection, and incident response to cover the complexities of OT environments, and as businesses follow this path of convergence, those service providers need to follow suit.
Our fragile critical infrastructures are becoming highly attractive targets for malicious actors, and with the updates to the Security of Critical Infrastructure (SOCI) Act and an increased focus on cyber security across the whole of the sector, it is heartening to see our government and private entities recognising the need for urgent action. A unified approach, based on clear guidelines and standards is imperative, and only then can we pull the cyber security posture of our OT systems up enough to match IT.
Director of Research & Innovation, Sekuro
Tony has been in information and cyber security for a very long time and delivered projects and services across a bunch of different industries through a variety of different roles. Over the years, Tony has always tried to bridge the growing skills gap through his employment, by mentoring, teaching and working with other disciplines to help them understand the complexities of what we do.