4 February 2016

Hacking Critical Infrastructure is Accelerating and More Destructive


A new report released this week by Trend Micro and the Organization of American States (OAS) shows a dramatic increase in cyberattacks directed against critical infrastructure owners and operators.

What could be worse than stealing millions of personal records in a large data breach?

How about destructive cyberattacks against our vital infrastructure companies that run dams, power plants, transportation systems and other critical infrastructures around the globe?

Sadly, such cyberattacks are becoming much more common and causing more harm than previously reported.

A new, first-of-its-kind report was released just this week which reveals astonishing survey results from more than 500 security chiefs spread across 26 member countries in the Organization of American States (OAS). The official report was created in collaboration between OAS and Trend Micro, and you can get a copy of the full report at this website.

Here are some of the findings that I found very surprising – even somewhat shocking:

- 53% of respondents have seen an increase in cyberattacks against critical infrastructure over the past year.

- 76% said cyberattacks were getting more sophisticated.

- Destructive hacking was way up, with 44% of respondents reporting attempts to delete or destroy data.

- 54% of respondents said attackers had tried to “manipulate equipment” through an industrial control system (ICS).

- 44% of survey respondents said attackers tried to destroy information.

- 40% had attempted to shut down computer networks altogether. 

Interview on New Report with an Industry Expert

Jon Clay, who is Trend Micro’s senior manager of Global Threat Communications, agreed to be interviewed regarding the report’s findings and next steps. Here is that interview:

Dan Lohrmann: Ambassador Albert R. Ramdin said, "53% of the respondents noticed an increase of attacks to their computer systems in 2014, and 76% stated that cyberattacks against infrastructure are getting more sophisticated." Are the sources of these increased attacks known?

Jon Clay: The survey respondents did not list where the attacks were coming from, but the report mentions of a few attacks attributed to Eastern European/Russian threat actors. The reality is actors such as cybergangs and narcotic traffickers are likely doing reconnaissance and active intelligence gathering on critical infrastructures (CI) around the world.

Dan: What are those Internet-based attacks?

Jon: As mentioned in the report, Trend Micro threat researchers are seeing malware-based attacks on critical infrastructure, disguised as both actual SCADA applications and malware used to scan and identify specific SCADA protocols. 


Dan: What was the most surprising result from this year's survey as compared to 2013 or other surveys? 

Jon: The most surprising result of this year’s survey was the percentage of respondents who stated they’d seen destructive attacks, whether attempts to delete or destroy data (44 percent), or attempts to shut down computer networks (40 percent). This shows threat actors are becoming more emboldened to commit destructive activities against CI, which is not a good trend.

Dan: What is the most significant takeaway from this survey?

Jon: Governments and organizations who manage CI are becoming a prime target of threat actors with increases in both volume and sophistication of attacks. 

Dan: What action is needed and who should do what differently?

Jon: The need for public-private partnerships (PPPs) is critical moving forward to ensure both governments and the private industry are ready to manage future attacks.

Dan: How is infrastructure protection different in the USA than in other OAS countries?

Jon: The U.S. has built out its CERTs [community emergency response teams] and ISACs [information sharing and analysis centers] that are set up to support sharing of threat intelligence in the case of attacks. Not all OAS member states have as developed groups as these. This has put the U.S. in perhaps a better state to deal with attacks, but the U.S. is also a prime target for threat actors and as such, likely will have to deal with more attacks.

Dan: Is the critical infrastructure attacked more or less?

Jon: From the U.S.-based survey respondents, the majority have seen an increase in attacks. 

Dan: In general, are U.S. companies more or less prepared for these attacks? 

Jon: From the survey results, U.S. based respondents indicated they were somewhat prepared or prepared for attacks. In general, we believe most organizations are somewhat prepared, but the need for improved situational awareness of attacks is needed by increasing their support for advanced threat protection solutions.

Dan: What are the next steps for the OAS as a result of this study? 

Jon: As mentioned in the report, the OAS is successfully building the framework for PPPs within the regions to deal with the situation. They are also helping member states who are not as far along as others to build out improved policies, laws and PPPs within their states. As such, the OAS should be empowered to lead information sharing per systemic cyberthreats in the region. The next step is to build awareness of the situation found within the report and try to develop a sense of urgency among their member states to actively deal with the security of CI.

Examining the Top Attack Vectors 

I found the following free webinar by Tom Kellerman, titled, “Clear and Present Danger: The Rise of CI Attacks in the Americas” to be very interesting and informative in understanding this report, and specifically how the attackers are targeting critical infrastructure.

Tom’s presentation describes the top five exploit kits used as being: Angler, Sweet Orange, Magnitude, Rig and Nuclear. These are described as “automated cyberweapons” that are causing havoc by penetrating and bypassing protections in place.

The chart below, which is an excerpt from the report, shows the types of cyberattack methods faced across the Americas by critical infrastructure owners and operators.


This chart shows the breadth of the online problems by country governments. Many more such charts are highlighted in the full report.


OAS Executive Perspective and Coordinated Response

As part of the introduction to the report, the OAS Assistant Secretary General, Ambassador Albert R. Ramdin, said this:

“Member states rely on critical infrastructure to provide essential services and products, and as countries of the Americas have experienced a growth in the number of infrastructures running on Internet-facing networks, so the number of cyber-attacks to the same infrastructures has increased, which could compromise a country’s critical infrastructure and ability to provide essential services to its citizens.”

Exploitations that can affect countries’ infrastructure are usually infiltrated by simple or sophisticated tools that can access mobile and other personal devices to infiltrate high-value sectors, such as transportation, energy or financial systems. To tackle these cyberthreats, the OAS began its efforts to strengthen cybersecurity capacities in critical infrastructure by providing tailored trainings to management-level officials, policymakers, and security technicians working at countries’ critical infrastructure. ...”

In addition, Adam Blackwell, secretary for Multidimensional Security for the Organization of American States described this seven-point response plan in the report:

[1] Engaging civil society and the private sector...

[2] Raising awareness: With the development of IoT [Internet of Things], people are connected to the Internet in many different ways. Use training sites like: http://stopthinkconnect.org/

[3] Developing national strategies: A national cybersecurity strategy allows countries to define a comprehensive vision on cybersecurity and set clear responsibilities, coordinating actions between governments, and relevant stakeholders. ..

[4] Providing training: Remaining current is fundamental in the ever-evolving environment of cybersecurity. ...

[5] Rehearsing crisis management: In parallel with technical training and the development of response teams, the OAS also conducts crisis management exercises. ...

[6] Carrying out technical assistance missions: The OAS responds to countries’ needs by developing and carrying out technical assistance missions designed to address their concerns. This typically involves site visits, policy reviews and presentations by local authorities, culminating in a series of recommendations by experts. ...

[7] Sharing information: The OAS is working on the development of a network of national CSIRTs and other cybersecurity-related authorities, which aim to facilitate real-time communication and information. ...


Final Thoughts

I highlighted this excellent report by the OAS and Trend Micro and the corresponding research and survey results, since they show a global trend to attack critical infrastructure via the Internet with destructive new techniques. The results are alarming to me.

In my view, this report is another wake-up call to address this accelerating cyberattack problem. Our online enemies are trying to bring down and destroy vital infrastructure – and not just steal data. The steps outlined in the OAS action plan offer a good road map to follow.

My question remains: Where is the sense of urgency around the world? Yes, steps are being taken. However, will public- and private-sector owners and operators of critical infrastructure provide the necessary resources to fully address these cyberattack trends and cyberdefense issues before it is too late?

I just hope that public- and private-sector industries reprioritize efforts to address protecting critical infrastructure against these ongoing destructive cyberattacks – or a cyber-911 may indeed be in our future.

No comments: