The Colonial Pipeline attack was yet another reminder that critical infrastructure is in desperate need of stronger security. The attack is one of the most recent victims of cyberattacks on critical infrastructure; the phenomenon is not new, nor is it confined to the U.S. Critical infrastructure is essential to the security of any given nation, making it a valuable target, especially to state-sponsored actors and terrorist groups. And by targeting such entities, cybercriminals are infiltrating the physical world.
Efforts are in place to enhance critical infrastructure cybersecurity, yet a key aspect remains heavily neglected—one that keeps critical infrastructure exposed to attacks. But first, we need to understand why critical infrastructure is so vulnerable and the physical implications of those vulnerabilities.
A Cyber-Physical System and Cyber-Physical Consequences
Critical infrastructure is increasingly integrating information technology (IT) with operational technology (OT). According to a 2020 report by Newsweek Vantage, only one in ten executives reported that none of their systems are integrated. Shifting to a cyber-physical system enhances efficiency and allows for remote monitoring, which proved particularly convenient during the pandemic. However, blending these once separate environments has expanded the attack surface significantly; OT, which was previously air-gapped, is now exposed to the same cybersecurity threats faced by IT–an attack on the latter can impact the former. And, with legacy OT systems built without cybersecurity in mind, it is far behind IT in this realm. Exposed OT is especially concerning as, “OT systems are the crown jewels for organizations and threat actors are going after them,” said Andrea Carcano, co-founder of Nozomi Networks. That is the ‘why’—now, let’s talk about the physical ramifications of attacks.
OT is technology that interfaces with the physical world. Hence, an attack on OT will have consequences that spill into the physical world, just like what happened with the Colonial Pipeline attack. When the pipeline shut down operations following the ransomware attack, gas prices on the east coast soared; consumers panic-bought gas and international flights were rerouted due to fuel shortages. All this damage came from an attack that did not intend to target OT. Yes, DarkSide, the perpetrators, did not seek to impact OT, but the risk of the attack permeating to OT was enough to shut down operations. It makes one wonder: what if the attackers had been intentional? For a real-world example, look at Stuxnet.
Getting to the Heart of a Nation
Critical infrastructure is the heart of every nation, meaning this is a global problem. A Fortinet Report found that nine in ten organizations experienced at least one OT system intrusion in 2020. Newsweek Vantage’s report highlights the risk of IT/OT convergence by revealing that 36% of organizations experienced an OT intrusion originating from their IT system. And, with 65% of respondents identifying IT systems as their greatest vulnerability, OT is worryingly exposed.
Attackers can target the OT directly. In fact, 32% of respondents to Newsweek Vantage’s survey reported physical incursions into their OT systems, demonstrating poor physical security; 28% of respondents attributed their most serious incident to weak physical access controls. Moreover, as cyber-physical systems enable remote monitoring, fewer eyes watch over OT in the real world, further reducing physical security. Remote access to OT is a whole other cybersecurity concern. The Industrial Internet of Things (IIoT), has, on the one hand, significantly enhanced operational capabilities. However, on the other hand, IIoT devices have created more entry points for attackers; remote entry points that can be targeted in less secure environments.
Zero-Trust, but Zero Hardware Security
The issue of IT/OT convergence is often met with the adoption of the zero-trust security model, which has recently been recommended by President Biden through the cybersecurity executive order. With zero-trust, organizations benefit from enhanced network access control through micro-segmentation and the principle of least privilege. Since zero-trust is a security model, the overall zero-trust architecture (ZTA) relies on various tools, including endpoint and network security software, to carry out its functions.
Such software, however, fails to provide hardware security, leaving this security domain sorely neglected. The enterprise remains widely exposed to hardware-based attacks since the tools used for such attacks are immune to existing security controls. Rogue devices–hardware devices manipulated to act with malice–bypass zero-trust security protocols, gain unauthorized access to the network and move laterally across the various network segments. In other words, whatever the point of entry is, the attacker can impact OT. The only barrier to such attacks is physical security since the perpetrator requires physical access. But, with 70% of organizations experiencing a physical incursion (32% into their OT systems, and a further 37% into their IT systems), physical security is obviously lacking.
The First Line of Infrastructure Defense
Rogue devices evade endpoint and network security solutions as they operate on the physical layer, which these solutions do not cover. Such rogue devices conduct harmful attacks, including ransomware and DDoS, which are specifically disruptive to OT, highlighting the need for physical layer visibility or, in other words, hardware security. Hardware security provides deeper visibility into the entire IT-OT landscape, allowing for better defense at the first layer for both IT and OT systems. Furthermore, hardware security supports the zero-trust model, thus enabling a more comprehensive approach. But what about physical security; if these attacks require physical access, how does hardware security stop this? Technically, it does not. An attacker can still gain physical access but, with physical layer visibility, this is about as far as they will be able to get. You still might think that physical security is the key to preventing hardware-based attacks but, remember, no matter how strong physical security is, it is not enough on its own. Not only are attackers using more sophisticated and more deceptive methods to gain physical access, but a malicious actor may be internal and already has physical access. Further, physical security can only go so far; security at the premises will not protect IIoT devices when used remotely.
Critical infrastructure is a valuable target to malicious actors because of its integrated environment and mission-critical role in society. But, for those same reasons, a cyberattack on critical infrastructure is no longer confined to the digital world, and such entities must enhance their protection for the sake of national security. Right now, critical infrastructure is missing something critical: hardware security. Without it, intangible attacks will continue to have tangible effects.