IOCATA 2016
Home Europol Twitter Europol facebook Europol LinkedIn

Critical infrastructure sectors are considered vital to the functioning of modern societies and economies to the point that their incapacitation or destruction would have a debilitating and cascading effect; yet these systems are vulnerable to damage as a result of natural disaster, physical incidents or cyber attacks. Vulnerabilities continued to plague industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) in 2015, impacting on critical infrastructure organisations managing complex IT and physical networks 100.

Malicious code can potentially be used to manipulate the controls of power grids, financial services, energy providers, defence, healthcare databases and other critical infrastructure, resulting in real-world catastrophic physical damage, such as blackouts or disruptions to an entire city's water supply101,102.

In most of the reported or analysed attacks targeting ICS, the initial infection began with targeted spear phishing and a malware drop to attack the network. In such a scenario, ICS-focused protection alone proved unable to prevent cyber attacks. Relying only on detection is not enough - the key to success in securing ICS is prevention. However, there is a need to strike a balance between adding sensors to the network and the risk to be overwhelmed with alarms, alerts and indicators103.

With securing critical infrastructure becoming a priority, a holistic approach is required where vulnerabilities and threats to the physical security and the security of ICT must be managed and controlled in the context of a comprehensive risk management framework, considering all interconnections and dependencies, and taking into account a total stakeholder view.

Key threats - Attacks on the infrastructure grid img

Key threats - Attacks on the infrastructure grid

Cyber threats to critical infrastructure are a serious threat, due to their network device and service exposure to the internet and their reliance on networked services with limited preoccupation towards the security and monitoring of the exposed devices and services. Attackers can gain knowledge of how a specific control system works, and can respond by releasing ICS-specific attack vectors that could spread from the IT network to the ICS or SCADA, exploiting vulnerabilities or stressing control gauges until systemic failure ensues with a cascading effect and serious consequences104.

In 2015, law enforcement across Europe reported a number of attacks on critical infrastructures which often included unsophisticated methods such as SQL injections and cross site scripting but also APT-type attacks.

Black Energy, a Trojan used in the past to conduct DDoS attacks, cyber espionage and information destruction, was used to carry out an attack on the Ukrainian power grid in December 2015. The malware had been modified specifically to carry SCADA-related plugins, in this case a module named Killdisk, in order to attack ICS105. Spear phishing was used to target individuals within the organisation with messages containing Microsoft Office documents; these documents contained malicious macros that once clicked, installed the malware onto the system106.

Due to the destructive payload, campaigns such as Black Energy pose an additional threat to companies beyond the critical infrastructure sector. These companies may have a false sense of security due to the fact that they are not critical or public-facing or too important enough to be targeted, but due to the spreading of this kind of malware they might well fall victim, with greater impact due to their relative unpreparedness107.

  1. Verizon, Data Breach Digest, http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf, 2016 footnote 104
  2. Kaspersky, BlackEnergy APT Attacks in Ukraine, http://www.kaspersky.com/internet-security-center/threats/blackenergy, 2016 footnote 105
  3. EC3 Cyber Bit, Series: Trend 1/2016 footnote 106
  4. Trend Micro, KillDisk and BlackEnergy are not just Energy Sector Threats, http://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/, 2016 footnote 107
Key threats - Everyday malware and zero-days img

Key threats - Everyday malware and zero-days

After incidents such as Stuxnet it is not surprising that critical infrastructure facilities can be infected with viruses, which are generally harmless unless the infrastructure is the specific target. In 2015, law enforcement across Europe reported a number of malware infections within air-gapped108 control system networks, combined with the exploitation of zero-day or unpatched vulnerabilities in control system devices and software.

However, it is often clear that there is no need to develop or purchase customised hacking tools, as there is a wealth of existing malware and vulnerabilities that can be exploited with minor tweaking to take advantage of the lack of security-by-design that is often found in ICS and SCADA systems109,110.

In April 2015, a German nuclear plant was infected with malware, including Conficker and Ramnit, which can allow remote access to an infected system and are capable of spreading through USB drives. In this case no harm was done; the malware required internet access to contact a command-and-control network - which it did not have - and the infection appeared to be incidental, i.e. the plant was not specifically targeted111.

Despite the fact that new vulnerabilities are discovered every day, when it comes to critical infrastructure relatively few disclosures can be seen112. At the same time, this underreporting of incidents and vulnerabilities increases the risk for such systems, given the wide-spread use of the same software/hardware in the industry. Another important threat is posed by insiders, as they have intimate knowledge of how such systems work113. If researchers report the discovery of vulnerabilities back to manufacturers and asset owners, then the whole industry benefits from an increase in security114. With these types of attack, it may be that an adequate response needs to be modelled on the joint approach by executive branches of government, with a focus on the interests at stake. This means that the inclusion of law enforcement and judiciary authorities in crisis-management plans and exercises is becoming more relevant.

  1. An air-gap refers to computers and networks not connected directly to the internet, or to any other computers or networks that are connected to the internet. footnote 108
  2. Kaspersky, Low-tech Attackers Harness Open Source Security Tools for Targeted Cyberespionage, http://www.kaspersky.com/about/news/virus/2016/Low-tech-attackers-harness-open-source-security-tools-for-targeted-cyberespionage, 2016 footnote 109
  3. The Hague Security Delta, Securing Critical Infrastructures in the Netherlands, https://www.thehaguesecuritydelta.com/media/com_hsd/report/53/document/Securing-Critical-Infrastructures-in-the-Netherlands.pdf, 2015 footnote 110
  4. Trend Micro, Malware Discovered in German Nuclear Power Plant, http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant, 2016 footnote 111
  5. Fortinet, (Known) SCADA Attacks Over The Years, https://blog.fortinet.com/2015/02/12/known-scada-attacks-over-the-years, 2015 footnote 112
  6. NIST Computer Security Resource Center, Malicious Control System Cyber Security Attack Case Study – Maroochy Water Services, Australia, http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf, 2008 footnote 113
  7. ENCS, Do We Need More Vulnerability Disclosures in Critical Infrastructure? https://www.encs.eu/2016/06/16/do-we-need-more-vulnerability-disclosures-in-critical-infrastructure/, 2016 footnote 114
Key threats - Spear phishing, watering hole attacks and social engineering img

Key threats - Spear phishing, watering hole attacks and social engineering

As with other network attacks, spear phishing is a common ICS attack vector, providing targeted entry into an organisation’s system. The use of the supply-chain as an attack vector is increasing, where the attackers target third-party vendors or partners, targeting the weakest link, and moving laterally to the actual target115,116.

In late 2014, hackers attacked a German steel mill in one of the first confirmed cases in which a wholly digital attack caused physical destruction of equipment. The attackers gained access via spear phishing and social engineering to obtain the credentials required to access the mill’s network117.

  1. Check Point, Everyday Malware Poses a Risk to Critical Infrastructure, http://blog.checkpoint.com/2016/05/19/everyday-malware-poses-a-risk-to-critical-infrastructure/, 2016 footnote 115
  2. Radiflow, Ukraine Cyber Attack Analysis, http://radiflow.com/wp-content/uploads/2015/12/Ukraine_cyber_attack_report.pdf, 2016 footnote 116
  3. SANS Industrial Control Systems, German Steel Mill Cyber Attack, https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf, 2014 footnote 117
Key threats - Insiders img

Key threats - Insiders

Insiders pose a huge potential risk to critical infrastructure, as insiders have intimate knowledge of the details of ICS and SCADA. While malicious actions of insiders are one potential threat, involuntary disclosure of sensitive information during phishing attempts, due to lack of training, can have devastating consequences. People, technology, processes and training should be combined to tackle this threat118,119. Monitoring access rights is essential when managing the risk associated with potential insider threats120,121.

  1. SANS Institute, Mitigating Insider Sabotage, https://www.sans.org/reading-room/whitepapers/casestudies/mitigating-insider-sabotage-33189, 2009 footnote 118
  2. SANS Institute, Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey, https://www.sans.org/reading-room/whitepapers/analyst/incident-response-capabilities-2016-2016-incident-response-survey-37047, 2016 footnote 119
  3. IBM 2015 Cyber Security Intelligence Index, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEW03073USEN, 2015 footnote 120
  4. ICS-CERT, Cyber-Attack Against Ukrainian Critical Infrastructure, https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01, 2016 footnote 121
Future threats and developments img

Future threats and developments

As most critical infrastructure (CI) was not designed with cyber security in mind, there is a need to rethink security, incorporating security-by-design into hardware and software components. As the software and hardware components of CI tend to be in use for often many years, there is also a need for improved vulnerability and patch management based on a holistic assessment and evaluation of assets, threats and risks122.

Because of the increased availability of tools and the wide attack surface presented by CI, we can expect attacks to increase in quantity. Serious damage could potentially be caused by those attackers deploying blended attacks incorporating phishing techniques and malware – including the growing threat of ransomware123.

Cyber insurance plans, targeting the critical infrastructure sector, will be on the rise and will steadily increase to cover a variety of costs related to cyber attacks such as revenue lost due to downtime, notifying customers impacted by a data breach, and providing identity theft protection124. The likely impact of insurance measures is unclear; whether it will result in a positive scenario where such insurances require due diligence and minimum security standards, or where this new landscape will lead to risk transferring strategies. Making use of a cyber-insurance should not result in ignoring IT security125, however, the insurance industry could be an important player in setting the baseline for adequate levels of security.

The transposition into national legislations of the NIS Directive will positively impact the whole cyber security ecosystem, mandating reporting and improving the sharing of vulnerabilities in this sector. However, the lack of law enforcement involvement in the mechanism, which is only foreseen in a voluntary or ad hoc form, might make it difficult for attacks on critical infrastructure to result in the investigation and prosecution of the responsible actors126. This may be further complicated by the fact that the focus of operators of critical infrastructure will be on business continuity, which may be at odds with law enforcement’s investigative requirements.

There is a balance to be struck between the requirements of such operators and law enforcement in terms of improved exchange of information and the development of better joint work practices with a view to increasing understanding on both sides.

It is not only critical infrastructures that are increasingly vulnerable; there is also a risk of attackers gaining entry to the systems where they can illegally acquire sensitive information. Illegal access to intellectual property (IP) is an added risk to consider when designing cyber defences for critical infrastructures. Specific threat groups, such as the Sofacy group (APT28), actively target European institutions and, in addition to acquiring sensitive data, engage in cyber-operations to manipulate the media and public opinion127. Widespread attacks have been observed from a multitude of sources targeting the EU institutions throughout 2016128. However, in this area there is little or no crime reporting, generating a negative spiral where there is no reporting, so law enforcement cannot respond and because law enforcement are not seen to respond, such activities go unreported to law enforcement.

  1. European Commission, Communication: Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry, https://ec.europa.eu/digital-single-market/en/news/communication-strenghtening-europes-cyber-resilience-system-and-fostering-competitive-and, 2016 footnote 122
  2. Fortinet, SCADA Security Report 2016, https://blog.fortinet.com/2016/04/05/scada-security-report-2016, 2016 footnote 123
  3. SANS Institute, Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey, https://www.sans.org/reading-room/whitepapers/analyst/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-37062, 2016 footnote 124
  4. Allianz, A Guide to Cyber Risk, https://www.allianz.com/v_1441789023000/media/press/document/other/Allianz_Global_Corporate_Specialty_Cyber_Guide_final.pdf, 2015 footnote 125
  5. European Commission, The Directive on Security of Network and Information Systems (NIS Directive), https://ec.europa.eu/digital-single-market/en/news/directive-security-network-and-information-systems-nis-directive, 2016 footnote 126
  6. CERT-EU, https://cert.europa.eu/, 2016 footnote 127
  7. CERT-EU, https://cert.europa.eu/, 2016 footnote 128
Recommendations img

Recommendations

  • Law enforcement and judicial authorities must be engaged early following serious cyber security incidents. Working collectively is our best route to getting ahead of attackers. Moreover, information security needs to be one of the first lines of defence against insider threats.
    • Building trusted relationships is a major consideration in encouraging organisations to report incidents and share information. More interactions between law enforcement, the critical infrastructure sector and CSIRT community are needed to build that trust129.
  • While securing critical infrastructures remains a private sector responsibility, attention should be given, by regulators, to the compliance of IT systems and mandatory security-by-design.
    • There needs to be a baseline of security standards for those operating systems that manage critical industrial systems, transportation, power grids or air traffic130.
    • There is need for provisions aimed at protecting critical infrastructures131 and securing network and information systems132 in order to align cyber security capabilities in all the EU Member States and ensure efficient exchange of information and cooperation.
  • Reputational and financial damage is an obvious barrier to sharing and reporting. Nevertheless, in those cases where authorities have to report incidents to the national CSIRT, agreements should be undertaken to make sure that law enforcement is able to follow up with criminal investigations when needed133.
  • Operators of critical infrastructure and law enforcement should work together towards an improved exchange of information and the development of better joint work practices.
  1. EU Member State, Law enforcement recommendation, 2016 footnote 129
  2. Enterprise Forward, IT Spend Slowdown Puts the Squeeze on Innovation, http://hpe-enterpriseforward.com/spend-slowdown-puts-squeeze-innovation/, 2016 footnote 130
  3. European Commission, Communication from the Commission on a European Programme for Critical Infrastructure Protection, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52006DC0786&from=EN, 2006 footnote 131
  4. European Commission, The Directive on Security of Network and Information Systems (NIS Directive), https://ec.europa.eu/digital-single-market/en/news/directive-security-network-and-information-systems-nis-directive, 2015 footnote 132
  5. EU Member State, Law enforcement recommendation, 2016 footnote 133
  1. EC3 Cyber Bit, Series: Trend 19/2016 footnote
  2. Kaspersky, BlackEnergy APT Attacks in Ukraine, http://www.kaspersky.com/internet-security-center/threats/blackenergy, 2016 footnote 101
  3. McAfee Labs Blog, A Case of Mistaken Identity? The Role of BlackEnergy in Ukrainian Power Grid Disruption, https://blogs.mcafee.com/mcafee-labs/blackenergy_ukrainian_power_grid/, 2016 footnote 102
  4. BlackHat, PLC-Blaster: A Worm Living Solely in the PLC, https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf, 2016 footnote 103