Cyberattacks in 2021 Highlighted Critical Infrastructure Risks

Concerns regarding cyberattacks against critical infrastructure have elevated industrial control systems (ICS) security to a mainstream topic. The first half of the year saw an increase in vulnerabilities found in ICS, exposing the high risk for attacks. As businesses continue connecting devices to the internet and converging operational technology (OT) under IT systems management, it’s more important than ever to understand these vulnerabilities and adequately mitigate and respond to risks.

Many of the events that increased awareness of current ICS risks and vulnerabilities were ransomware attacks. These incidents elevated awareness of ICS and OT network security and brought these topics into mainstream conversations.

Colonial Pipeline

Colonial Pipeline, the East Coast’s largest gasoline, diesel and natural gas distributor, was hit by a ransomware attack in May 2021, and the attack impacted oil and gas delivery for millions of people. DarkSide, a Russian cybercrime group that sells ransomware as-a-service (RaaS), was responsible for the attack. Colonial paid a $4.4 million ransom in Bitcoin ($2.3M of it was recovered by the U.S.), however, shortly after the attack, DarkSide reportedly abandoned its operation.

This incident not only made headlines but also shed light on how ransomware attacks have evolved to impact the physical world. Because DarkSide gained access to Colonial Pipeline’s systems by exploiting an inactive account that didn’t use multifactor authentication, it put pressure on businesses to assess similar risks within their own network of systems. 

Oldsmar, Florida Water Treatment Facility 

In early February 2021, a remote attacker changed the levels of sodium hydroxide in residential and commercial drinking water at a water treatment facility in Oldsmar, Fla. Operators inside the facility detected two intrusions from outside the plant, the second of which involved a remote attacker. 

Thankfully, the operators kept the contaminated water from ever reaching the public. While this attack could have had more dire results, it shed light on the risks posed to systems without secure remote access and the importance of ICS safeguards. As the pandemic accelerated digital transformation, critical infrastructure was further exposed as operators used remote access to manage systems off-site.

JBS Foods 

JBS, the world’s largest meat supplier, was attacked by the RaaS group REvil, leading to a shutdown of plants in Australia, Canada and the U.S. and wiping out nearly one-fifth of the U.S. plants’ meat processing capacity.

JBS maintained a backup system and was able to resume operations by using it to restore the data. Regardless, the company reportedly paid the attackers an $11 million ransom to recover its data and operational capability.

RaaS has become an emerging business model that allows essentially anyone to exploit vulnerabilities and launch attacks. It’s proven to be a profitable business model, too; as with Colonial Pipeline, attackers realized that critical infrastructure organizations make lucrative targets. Not only do they have the financial resources to pay, but any disruption to operations could put lives at risk—meaning they’re highly motivated to do whatever it takes to resume operations. 

On top of that, many food and beverage production sites run on legacy OT that was never designed to be connected to the internet. OT networks predate the internet and, with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyberthreats.

Security Measures in Response to Vulnerability Trends

While these attacks have raised awareness about current vulnerability trends we are seeing, awareness itself is not enough. The next step is to act on the lessons learned from these instances to minimize risks. 

Network Segmentation

With more devices connected to the internet and managed via the cloud, measures such as network segmentation must be prioritized. Network administrators should:

  • Segment networks virtually and configure them so they can be managed remotely.
  • Create zone-specific policies tailored to engineering and other process-oriented functions.
  • Reserve the ability to inspect traffic and OT-specific protocols to detect and defend against anomalous behaviors.

Secure Remote Access

As organizations adjust to increased remote connections to corporate resources, they must do so securely. This is especially vital within OT environments and critical infrastructure, as operators and engineers require secure remote access to industrial assets to ensure process availability and safety. Security practitioners are encouraged to:

  • Verify VPN versions are patched and up-to-date with current versions.
  • Monitor remote connections, particularly those connected to OT networks and ICS devices.
  • Enforce granular user access permissions and administrative controls.
  • Enforce multifactor authentication.

Ransomware, Phishing and Spam Protection

Remote work has increased reliance on email as a vital communication mechanism. These conditions also increase the risk of personnel being targeted by phishing or spam attacks and associated ransomware and other malware infections. Users should:

  • Not open emails or download software from untrusted sources.
  • Not click on links or attachments in emails from unknown senders.
  • Not supply passwords, personal or financial information via email to anyone.
  • Always verify the email sender’s email address, name and domain.
  • Back up important files frequently and store them separately, away from the main system.
  • Protect devices using antivirus, anti-spam and anti-spyware software.
  • Report phishing emails to the appropriate security or IT staff immediately.

Protecting Operations Management and Supervisory Control

Most operations management and supervisory control vulnerabilities are software-based as opposed to basic control, where the majority of vulnerabilities are firmware-based. With the inability to patch over time, especially for device firmware, it is recommended that critical infrastructure organizations invest in segmentation, remote access protection and better protection of the operations management and supervisory control levels. This is imperative because they provide access to the basic control level and, eventually, the process itself.

Cybersecurity is an all-hands-on-deck effort, which means organizations must ensure roles are clearly defined and proper systems are in place to support this new normal. With digital acceleration brought on by the pandemic, the only thing we know for sure is change is imminent. To effectively protect critical infrastructure, it is crucial to continue evaluating the ICS vulnerabilities created as a result of that change so that while innovation continues, we can effectively mitigate risks. 

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Chen Fradkin

Chen Fradkin is a security researcher at industrial cybersecurity company Claroty with over seven years of experience researching ICS and IT network security. She specializes in analyzing all components of network security, from protocols and topology to connected devices, as well as developing security systems. She graduated from the Open University of Israel with a degree in computer science.

chen-fradkin has 1 posts and counting.See all posts by chen-fradkin