The new F-Secure report highlights that, in the face of increasingly advanced cyber threats, companies continue to use outdated systems and technologies to save money. The ensuing shortcomings in terms of cyber security (lack of strategy, prioritization, awareness …) are real gifts for cybercriminals.
Hackers now readily target strategic infrastructure and power distribution networks. In this sector, the systems are interconnected: the vulnerabilities are, therefore, more numerous, and cyber attacks often go unnoticed for a while.
The price of oil is fluctuating and energy companies are looking for savings. However, business consolidation operations can weaken the levels of redundancy and the resilience of these infrastructures. New points of failure may then appear, causing major disruptions in the supply chain.
“Espionage and sabotage operations against companies managing critical infrastructure are increasing over the years. And I think we have not seen it all yet, “says Sami Ruohonen, Labs Threat Researcher at F-Secure, a Finnish company specializing in cyber security.
Industrial Control Systems (ICS) are becoming more and more connected to the Internet. However, a considerable number of these systems have been installed and designed before the generalization of Internet connections 24/7/365, and before Stuxnet. Many of their operational components have integrated remote operating capabilities, but their security protocols (such as authentication) are few, if not totally absent.
At the time these infrastructures were designed, cyber security was not a realistic threat. The protocols and systems used do not present the built-in security controls that we take for granted today. Now these systems are connected to the internet and are vulnerable to a multitude of attacks.
“Given their very nature, critical infrastructure is an attractive target for foreign nation-states, even in times of peace,” says Ruohonen.
This new F-Secure report establishes several findings:
● Organizations operating critical infrastructures face a multitude of different “cyber adversaries”, each with their own motivations, their own skills.
● Hackers have a key asset: time. They can spend several months planning their attack.
● Staff is the weakest link in production, making employees the preferred target of cyber criminals.
● Piracy operations continue to be successful due to unsuccessful cyber security strategies of companies.
● Advanced persistent attacks backed by nation states are daunting. The perpetrators are relentless in their search for network access points and spying for political pressure.
● Nine different types of attacks targeting the energy sector were identified. Spear phishing is the most common initial attack technique targeting the distribution chain.
● Minimizing the attack surface, which is often the best way to reduce the risk of cyber attacks, is simply not possible in the energy sector.
● IT intrusions become unavoidable: Sami Ruohonen advises organizations to review their cyber security strategy to incorporate newer technologies such as desktop detection and response (BDU).