The threats to Critical National Infrastructure (CNI) from cyber attacks have long been mooted. But increasingly these theoretical dangers are morphing into real-world impacts — affecting not just power stations, utilities and similar but also infrastructure hubs such as ports and airports. The challenge of protecting these facilities in many cases rests on securing outdated but mission critical OT) environments which are now dangerously exposed.

Mitigating OT risk effectively will require both a technical and cultural fix.

Hackers get serious

In the second half of 2018, there was a spate of attacks targeting critical infrastructure hubs. In July, the port terminal of Chinese logistics giant COSCO was disrupted. The shipping firm’s IT and phone network was taken down after a suspected ransomware attack. A couple of months later, the port of Barcelona came under attack in a raid which affected several servers, although no further details were publicized. Then, also in September, the port of San Diego was floored by a ransomware attack.

Although details of these attacks remain hazy, what we can say with some certainty is that critical infrastructure environments are becoming an increasingly popular target for hackers. They offer multiple opportunities to make money and spread chaos. Here are some:

Ransom: As we’ve seen in some of the examples above, CNI facilities such as ports face a significant threat from ransomware. It’s likely that cyber criminals are looking to improve their ROI by hitting fewer, but higher value targets rather than focusing on consumers and small businesses. Ports and logistics firms are a perfect choice because even an hour’s downtime could have a massive knock-on impact. Shipper Maersk admitted in 2017 that the NotPetya ransomware ‘worm’ of that year caused losses of up to $300m. It’s not just ports. Last year, the UK’s Bristol Airport was hit with ransomware which caused a blackout of flight information screens for two days.

Theft, drug trafficking and more: Another attack scenario is to remotely control key operational technologies or monitor logistics information to support physical crimes. The precedent for this kind of attack was set several years ago. Back in 2011, Europol warned of an attack on Antwerp port in which traffickers smuggled drugs into legitimate cargo, then hacked control systems to place the shipping containers on their own lorries. Thus, they were able to steal the contents before the legitimate owner arrived.

Sabotage: Sometimes hackers have a more destructive impulse, especially those working for rogue states. We’ve already witnessed widespread damage caused by WannaCry and NotPetya, and destructive Russian attacks on Ukrainian power stations. So it’s feasible that hackers could target ports and other facilities with the explicit goal of interrupting supply chains, damaging key equipment and causing economic chaos.

Why OT is at risk

A big part of the problem for CNI providers is their OT infrastructure. OT historically has been protected from hackers because proprietary systems weren’t connected to the internet. So-called “security-by-obscurity” worked for decades, but with connectivity and a convergence with IT has come greater risk.

Firms are increasingly looking to add intelligence to their OT systems to drive process efficiencies and cut costs. But this has also had the unwanted effect of exposing them to the threats outlined above, as many systems are running outdated software or protocols that can be easily hacked. OT machinery is often expensive, meaning replacement cycles could extend for decades. But they can’t be taken offline to patch as they’re mission critical, and no parallel testing environment exists for software fixes to be tried out.

One vendor detailed earlier this year how vulnerabilities in the Radio Frequency (RF) controllers used to remotely steer cranes, winches and other industrial equipment could be hacked to sabotage or remotely control machinery. The problem revolved in part around the proprietary nature of the protocols managing communication. Some of the systems analyzed in the research had been in operation for over 15 years.

Breaking down siloes

The good news is that there are things organizations can do to mitigate OT risk. They need to start by extending IT risk management approaches into the OT sphere.

Understand exactly what equipment you have, and pen test it to check where the major vulnerabilities are. Migrate where possible to equipment based on open, interoperable standards and follow best practice frameworks like ISA/IEC 62443 for industrial control systems. Continuous security monitoring and incident response are vital to provide visibility, control and agility where you need it most.

Of course, for such initiatives to be effective, your IT and OT teams will have to do a better job of communicating. Historically these have been separate, with differing security priorities: IT focusing on confidentiality and OT on reliability/availability. These silos need to come down as the new era of IoT heralds new risks. It’s also what the EU’s NIS Directive demands of CNI providers. 

Change will take time, but it must start now.