Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure.
But this attack came as no surprise to security experts. It was not the first evidence that a utilities company had been compromised. As Brian Krebs wrote, “for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all.”
Krebs goes on to note that security researchers have often shared evidence of their ability to access what are commonly known as, industrial control systems (ICS), which allow for human beings to remotely interact with the systems that monitor critical infrastructures. If an ICS were compromised, the fallout could be catastrophic. But the reality of the risk to ICS was known long before Florida made headlines.
In 2009, the Federal Energy Regulatory Commission (FERC) approved the first version of the Critical Infrastructure Protection (CIP) reliability standards. More recently, in May 2020, in recognition of the gravity of the risk to health and human safety and the American economy, President Trump signed Executive Order 13920, Securing The United States Bulk-Power System. The new administration is continuing to focus on mitigating supply chain risk, with President Biden signing another Executive Order directing federal agencies to review supply chain security risks across industry.
In response to the Executive Order, Idaho National Laboratory (INL) offered guidance on how to counter threats from adversaries and mitigate the risk of corruption in the supply chain. INL wrote, “Vendors have far better knowledge of the subcontractors who contribute to their products and their compliance with supply chain risk management (SCRM) standards.”
Yet data from Prevailion’s Apex Report shows that supply chains pose one of the greatest risks to unsuspecting enterprises across all sectors, including utilities. These are more than potential threats identified by security researchers. The report reveals evidence of compromise in a major US electric utility targeted by multiple APTs, backdoors in Midwest utilities as well as another infected Florida water district and a Massachusetts utility company. In most cases, the attackers targeted vulnerabilities in the supply chain.
Prevailion has also seen long-running compromise activity in a major industrial provider that supplies the power grid, and the 2020 Apex Report underscores risks in the Oil and Gas Industry. The findings point to, “evidence of compromise within every major component of the Oil and Gas Global Supply Chain.” It’s worth noting that Idaho National Laboratory asserts, “DOE and its intelligence community (IC) partners can and should routinely provide additional data on equipment and adversary efforts to penetrate supply chains and clarify how adversaries are likely to conduct supply chain-based attacks in the future,” but Prevailion’s analysis shows that far too often partners don’t have visibility into attacks on their downline partners and vendors.
In November 2020, Americold was reportedly the victim of a ransomware attack, shedding yet another light on the threat to critical infrastructure given the impact this attack had on cold storage warehouse chains across the US as the country raced to roll out the Covid-19 vaccine. In truth, it’s rare that malware has been used to successfully attack ICS; however, there’s ample evidence that attacking an organization with ransomware is quite commonplace.
Still ICS is not impervious to a ransomware attack. Wired recently reported that security researchers have discovered, “a malware sample has surfaced that uses specific knowledge of control systems to target them with a far blunter, and more familiar, tactic: Kill the target’s software processes, encrypt the underlying data, and hold it hostage.”
Because there is no one attack vector that is the sole threat to American utilities, there is no single solution to protecting critical infrastructure. These are complex systems that require a comprehensive security strategy. That strategy has to be informed by reliable, actionable threat intelligence and it must provide visibility into what is happening throughout the supply chain.
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around