…The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a cyber Pearl Harbor…
– Former U.S. Secretary Defense Leon Panetta
U.S. Director of National Intelligence James Clapper famously stated in late 2015 that “While most of the public discussion regarding cyber threats today is focused on the confidentiality and availability of information, in the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it”. Concern about cyber attacks on critical public infrastructure is growing as these attacks increase in both prevalence and sophistication. According to the Report on Cybersecurity and Critical Infrastructure in the Americas by TrendMicro, 43% of respondents with critical infrastructure indicated they had experienced as attack with an alarming 31% of the responders saying that they are unsure if they’ve been attacked. The 2016 Security predictions by Crowdstrike (2015 Global Threat Report), states that the telecommunications and energy sectors show an alarmingly high risk of being breached.
Cyber-attacks on public infrastructure
Data used in public infrastructure can be an easy target for manipulation by external attackers or insiders to tactical or strategic effect. In late December 2015, about 80,000 residents in western Ukraine lost power for six hours following a Russian cyber attack, according to cyber security firms SANS ICS and iSight Partners. As quoted in Newsweek “For the Prikarpattiaoblenergo electric company in Ukraine, the malware and its subcomponents shut down computer operating systems, which in turn ended up shutting down the local electrical grid. Hackers also sought to make it impossible for customers to report electrical issues to the electric company by blocking out the company’s phone system”.
In early 2016, Israel’s electricity authority was hit by ransomware and all the infected machines were taken offline for two days. Ransomware, a particularly nasty strain of malware, locks computers and threatens to delete all data unless the user pays a ransom. On a positive note, Israel’s power grid did not go down even though, according to the Jerusalem Post, “the incident occurred during two consecutive days of record-breaking winter electricity consumption, with the Israel Electric Corporation reporting a demand of 12,610 megawatts that evening as temperatures dipped to below-freezing levels.” These attacks could impact the United States in the future. According to USA Today, between 2010 and 2015, hackers penetrated U.S. Department of Energy networks 159 times.
More recently, in February 2016 a Hollywood hospital was hit by ransomware with all computers being offline for over a week, forcing staff to rely on paper and pencil. Patients were forced to transfer to other facilities, since the hospital was unable to complete the required lab work, pharmacy tasks, or some of the more critical scans such as CT scans.
As more aspects of life are digitized, including household devices as part of the Internet of Things (IoT), ominous over-the-top hacker movies such as Live Free or Die hard are becoming more plausible. What if a home automation system is compromised such that people were prevented from entering their own homes? Or, in the case of driverless cars that heavily depend on information from its immediate environment, what if an attacker feeds in wrong information into one of these cars potentially causing a critical crash? Or, on a more serious note, what if hackers bring down an entire city’s 911 public service system?
Detect and respond versus prevent
The 2016 Predictions by Global Threat Report found that ”2016 may see cyber operators targeting agriculture, healthcare and alternative energy sectors not just for intellectual property, but also for know-how such as building native supply chains and administrative expertise. The targeting of U.S. healthcare institutions in 2015 was suspected to be for espionage purposes, though it may have had the dual purpose of providing western models for supplying affordable healthcare…”
Most of these attacks are the result of lack of analytical security systems in place. A great many organizations have sadly discovered that traditional signature-based security solutions alone fail miserably against preventing zero day attacks. With tolerance for complex deployments waning and as more and more applications move to the cloud, there is a ray of hope that crippling attacks on critical public infrastructure can be stopped or better yet, prevented. The use of advanced analytical systems that correlate user access, information sensitivity, privileges and policies, along with traditional systems, prove to be a better bet against most of these targeted attacks.
Security breaches on critical public infrastructure systems should be a wake-up call for these organizations to increase the use of analytical systems that can find evidence of such a breach. The focus needs to shift from finding otherwise unknown malware to how to detect all security breaches, even those that don’t involve malware. By gathering and analyzing a broader set of data, analytics endeavor to bring situational awareness to events, such that the events of relevance that pose the greatest harm to an organization are found and prioritized with greater accuracy.
User and entity behavior analytics is an example of analytics that is gaining a lot of traction these days. With UEBA capabilities, enterprises shift their focus to rapidly detecting and separating the normal user from the malicious or compromised user, through actively monitoring and prioritizing security alerts and streamlining alert investigations. UEBA systems are effective at detecting meaningful security events such as compromised account threats, insider threats, and privileged user threats.
Gartner’s latest research states that by 2020, 80% of endpoint protection platforms will include user activity monitoring and forensic capabilities, up from less than 5% in 2013. Furthermore, Gartner predicts that by 2018, at least 25% of self-discovered enterprise breaches will be found using UEBA.
While we have yet to see a doomsday scenario like that mentioned by former U.S. Secretary of Defense Leon Panetta unfold, the intent to commit such attacks is obvious. Many small-scale cyber-attacks are carried out every day, and the increasing frequency of larger attacks on critical public infrastructure as mentioned earlier in the blog demonstrates just how vulnerable these systems are to intrusion. A concentrated and joint effort by governments, the private sector, and civil society along with the use of latest tools such as UEBA, is probably the only solution to prevent cyber attacks from crippling infrastructure and degrading the capacity for nations to continue their normal operations.