Per a recent US-CERT alert, Russian government-sponsored cyber ‘threat actors’ have been systematically targeting and attacking critical US infrastructure facilities, such as nuclear, water/wastewater, electric grids, and other energy related facilities. These attacks, while not new, are being attributed clearly to the Russian government for the first time.
While the threat of malicious activity on a critical system is worrisome enough, it’s important to understand how these breaches are occurring. The most recent attacks use social engineering techniques and spearphishing to gain access to systems, rather than traditional ‘hacking’. Social engineering and spearphishing (an email with malicious links or documents sent to a specific individual) do not require any intimate knowledge of the system before the attack begins, and rely on weak security protocols and human errors of judgement.
Once the threat actors have gained access to the broader network, they can begin finding ways to infiltrate individual systems such as HMI or SCADA.
In this case the threat actors targeted specific systems, often by locating low resolution images on the web and examining them to seek out the specific software or hardware used.
What infrastructure facilities can do to prevent this kind of threat
First, companies must acknowledge that their data is a target. A municipal water/wastewater plant may not see their systems as desirable targets for infiltration, but we have proof to the contrary. Every infrastructure or manufacturing facility should assume that their data is valuable enough to steal, or that their systems could be targets of attack.
Employees should be educated about social engineering and spearphishing techniques, and there should be strict policies in place to ensure that employees are only clicking on links or reading documents from safe sources. Some social engineering and spearphishing attacks will utilize email addresses that look like they come from colleagues or from a trusted organization, so it’s important that employees understand that they should coordinate with IT before opening any email they’re not entirely certain is safe.
IT departments should be following best practices for cybersecurity, such as air gaps and firewalls between industrial automation systems and the broader organization’s network. IT and OT should be working together to find the proper balance of connectivity, efficiency, and security.
Finally, there should be regular and robust breach detection activities in place, so that intrusions to any system are noticed quickly and vulnerabilities are shored up. No system is immune to a breach, but the faster it’s found and addressed, the safer a system will be.