In May 2021 Colonial Pipeline, the United States’ largest pipeline for refined oil products were subjected to a ransomware attack, showing how vulnerable to cyber attacks socially important infrastructure can be. Within the space of a few hours, all fuel transport was cut off in an attempt to limit the damage. In the days that followed, the price of petrol soared while petrol stations ran dry.
“Do you want to protect yourself from similar attacks? Don’t build special solutions, rather opt for well established cyber security solutions and keep them updated. It’s worth the money,” says Marco Tiloca, security expert at RISE.
Over 20 years of operation, the operation of the nearly 900 km long pipeline has been affected by some 30 incidents – mostly related to the weather, wind and mechanical issues. This was the first time that a cyber attack had triggered a stoppage, and was consequently a clear game changer. The hacking group demanded the equivalent of USD 4.4 million US in bitcoin in exchange for unlocking the encrypted business system and deleting 100 gigabytes of stolen customer data.
– “If critical infrastructure is taken down, it can be more complex to restore it and bring it back into operation. The consequences can therefore be critical for society, the economy, security and the environment, and ultimately for people,” says Marco Tiloca, researcher at RISE’s digital security unit.
– “Generally speaking, this is not a new kind of threat. The fundamentals are the same as before – it’s about gaining control of your systems and pressuring you for money.”
The thing that distinguishes such attacks on critical infrastructure, however, is the risk that hackers will also take control of OT systems, i.e. the operation of industrial control and management systems. In the case of Colonial Pipeline, it was stated that this particular risk was the reason for the operator shutting down the operation.
The energy sector represents socially important infrastructure, which has been singled out as an inviting target for cyber attacks. Connected facilities with units that can be controlled remotely over the Internet, and where data is exchanged between production systems and customer systems.
You may have a secure system, but your staff can be the way in
IoT-based networks provide more opportunities for attacks
Other targets include industry or healthcare with operational systems that have previously been kept isolated, but that have been linked to other IT systems as digitalisation has progressed.
– “This potentially provides a perpetrator with many more attack vectors, by utilising the IoT-based networks in your system. These can be used both to cause direct damage, but also to take control of your devices and use them in a separate follow-up attack. As a result, you need an in-depth understanding of how your systems and devices work. And that your solutions and configurations will stand up.”
Projects will increase security in critical infrastructure
Marco Tiloca is one of RISE’s experts participating in the ongoing Critisec project, which aims to develop new security solutions and standards for edge networks in critical infrastructure. Use cases include energy distribution, smart cities, identity management for IoT and three other IoT-related areas.
The goal? To be able to greatly improve the systems in the critical infrastructure.
The pandemic years 2020-21 have seen a substantial increase in cyber attacks. Ransomware as a service phenomenon has attracted the most attention, although phishing schemes targeting new home and hybrid workers also stand out.
– “If you dig deep enough, it can normally be seen that, despite good intentions, attacks are facilitated by carelessness and negligence. This often relates to software that has not been patched or instances where people have been tricked into downloading malicious code,” says Marco Tiloca.
– “It is also sometimes the case that insiders are hired who act as accomplices. How do you protect yourself in this instance, when it’s not even the case of a technologically advanced approach?
– “It’s about being meticulous. About having skilled staff who are both well-trained and loyal. Who avoid becoming an attack vector themselves. You may have a secure system, but your staff can be the way in.”