Digitization and cyber security – How to Make Digital World Secure
Earlier, protecting the infrastructures was a purely physical matter: thick walls, high fences, and partially armed personnel were key to protecting our energy, transportation, and water infrastructure from potential threats. This status quo has existed for a surprisingly long time, but now almost every other aspect of our lives has been increasingly digitized. Most industries have fully embraced digital transformation in recent years and the business world has become dependent on a highly complex network of networked technologies. Our private lives are also shaped by digital technology, which has become the de facto standard for everything – from paying bills to monitoring our health.
The digital transformation
But in the meantime, digital change with its prospect of greater efficiency and greater flexibility has also reached the industrial world. Networked information and communication technologies that drive business and commerce are rapidly growing together with the operational technologies (OT) that control our critical infrastructure. The combination of advanced computer technology and industrial automation helps to increase productivity and output. This approach also opens up new possibilities for preventive and remote maintenance and helps to solve situations before they escalate into more costly problems, which in turn can lead to serious failures. In addition to all the advantages, this progress also entails a number of risks.
Growing cyber threats
Dealing with cyber attacks has become part of everyday business, and we regularly read about a serious security incident at a large company. In July it became known, for example, that some German groups from different industries were attacked by the Winnti hacker group. Security experts suspect that the attackers are from China and are likely to be organized or commissioned by government agencies. With increasing networking, the risks naturally increase – and operators of critical infrastructures are no exception. And this new field is used by threat actors to carry out reconnaissance actions, gain remote access and even launch heavy attacks. Fortunately, these incidents have so far been far less common than the constant attacks on companies in the financial and retail sectors. In fact, there have actually been only a small number of cases worldwide in recent years. However, the impact of an attack on the infrastructure is far greater than in almost any other sector. While a retailer breach affects its bottom line and exposes its customers to an increased risk of fraud, successfully attacking critical infrastructure at a national level can have much more concrete and far-reaching effects – and may even endanger life. However, the impact of an attack on the infrastructure is far greater than in almost any other sector. While a retailer breach affects its bottom line and exposes its customers to an increased risk of fraud, successfully attacking critical infrastructure at a national level can have much more concrete and far-reaching effects – and may even endanger life. However, the impact of an attack on the infrastructure is far greater than in almost any other sector. While a retailer breach affects its bottom line and exposes its customers to an increased risk of fraud, successfully attacking critical infrastructure at a national level can have much more concrete and far-reaching effects – and may even endanger life.
Advanced infrastructure attacks
The turning point for cyber security in critical infrastructures occurred in 2015 with the first known successful attack on a power grid. In December 2015, three energy suppliers in Ukraine were hit by an attack that later brought the grid to a standstill. The attack was very organized, complex and followed a multi-step approach that combined several different attack techniques. As a first step, the corporate networks were compromised with a powerful malware called BlackEnergy, which was distributed via a spear phishing email. As a result, the attackers took control of the SCADA (Supervisory Control And Data Acquisition) systems to remotely shutdown substations and deactivate IT infrastructure systems. In addition, another malware called KillDisk was used to delete large amounts of files that were stored on workstations and servers, and finally a Distributed Denial of Service (DDoS) attack was used to deactivate and thus prevent a call center that consumers receive information about the blackout. The result: 225,000 people had no electricity for between one and six hours. Due to the ongoing conflict between Ukraine and Russia at the time, most experts attributed the attack to the Russian APT group. to disable a call center and prevent consumers from receiving information about the blackout. The result: 225,000 people had no electricity for between one and six hours. Due to the ongoing conflict between Ukraine and Russia at the time, most experts attributed the attack to the Russian APT group. to disable a call center and prevent consumers from receiving information about the blackout. The result: 225,000 people had no electricity for between one and six hours. Due to the ongoing conflict between Ukraine and Russia at the time, most experts attributed the attack to the Russian APT group.
Ukraine was the victim of another serious attack on its power grid a year later, in December 2016. This second attack knocked almost a fifth of Kyiv out of power for about an hour, with many assuming that this attack was primarily a test run by the attackers. The second attack took a different approach than the first and relied on the malware Industroyer or crashoverride. The malware was specially designed to disrupt industrial control systems and contains a number of components that perform various actions: For example, a backdoor element establishes a remote connection that allows attackers to issue commands and carry out attacks. In the event that this back door is discovered, a second is available to the attackers.
Fortunately, the attacks on Ukraine have so far been unusual, but the risk of a new incident is high for both the energy industry and other critical organizations around the world. Recent research, jointly conducted by the UK Infrastructure Transitions Research Consortium at the University of Oxford and the Center for Risk Studies at the Cambridge Judge Business School, has quantified the potential risk to the UK from a cyberattack. Based on the Ukrainian incidents, the researchers estimated that similar attacks on Britain could cost more than £ 111 million a day. It was concluded that even a relatively small incident could affect the electricity supply for more than 1.5 million British citizens.
While security teams and security solutions can quickly adapt to newly discovered vulnerabilities, malware and technologies, it is difficult to prepare for previously unknown threats. Unfortunately, we have to assume that in many industrial systems, unknown malware is literally dormant and is just waiting for instructions to strike at the right time. The then director of the U.S. National Intelligence Service, Dan Coates, told Congress earlier in 2019 that security forces assume that if a crisis strikes, Russia will launch cyber attacks on civilian and military infrastructure to disrupt it.
As with traditional weapons, cyber attack tools, if only in the hands of some nation states, can have a deterrent effect. Attacks would result in counterattacks, so large blows are unlikely. Nevertheless, government-sponsored activities can occur on a smaller scale, especially if the attack cannot be easily assigned.
In contrast to conventional warfare, heavy cyberattacks can also be organized by non-state actors with comparatively small resources. Critical infrastructures are (so far) an unattractive target for the average criminal, which is motivated in particular by financial gain. Other industries promise higher profits with less effort and risk. However, the infrastructure is still potentially at risk from non-governmental actors such as terrorists. And cybercriminals may also develop profitable business models in the area of critical infrastructures.
How to Secure Digital Infrastructure
Perhaps the biggest challenge in securing global infrastructure is that it has never been designed to protect against these types of threats. Most systems were designed to operate in a highly secure environment, protected from interference from walls, gates and protective devices. This means that the devices often lack basic functions such as authentication and encryption. The challenge is exacerbated by the fragmented and non-transparent nature of the targets. Most of the world’s critical infrastructure runs on a variety of old and opaque protocols, many of which are proprietary, making it much more difficult to get a unified view of the systems as a whole.
A common solution to the problem is to turn down digitization. In July 2019, the U.S. government announced plans to switch critical systems to analog and manual technology to isolate the network’s key control systems. A press release to approve the Securing Energy Infrastructure Act (SEIA) says it should ensure that attackers would need physical access again to disrupt or damage them.
But is this way-back really a step forward, at least in terms of security? It is more likely that this step is counterproductive and could harm innovation. The critical infrastructure, be it the American one or that of another country in the world, is not vulnerable because it is digital, but because the threat actors understand the landscape better than those who are supposed to defend it. Well-versed cyber security training can also solve the problem.
Transparency is the key
We are now faced with the unusual situation that industry, not government, is at the forefront of potential conflicts. Given the large number of critical infrastructures managed by the private sector, it is largely up to individual companies to ensure the transparency of their own networks and the ability to identify and counter threats. Therefore, the top priority must be to close this transparency gap, which currently enables attackers to implement complex attack plans without being discovered. Industry and government agencies need to work together to transform today’s heterogeneous, rugged, and opaque target into a transparent defense architecture that will allow defenders too.