Defending critical infrastructure: The status quo isn’t working

Paid Feature Cyber-attacks aren't just about siphoning bank accounts. They're also targeting critical national infrastructure, warn experts – and we're not doing a very good job of preventing them. How can we stop the rot and protect the systems that funnel our oil, carry our electricity, and manage our water, among other things?

Critical infrastructure spans more sectors than you'd think. The US defines 16 of them, while the UK has 13. They include anything that is necessary for society to function on a daily basis, and include the obvious sectors like energy, but also finance, food, and pharmaceuticals.

Governments are waking up to the threat of attacks on CNI. In its 2020 National Cyber Threat Assessment, the Canadian government fretted that "state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada."

The US has been suffering these attacks for a while. In April 2021, it announced a 100-day plan to shore up electrical grid security. This followed a hand-wringing GAO report finding that it continues to be at risk from cyber-attacks. It followed this up with a memorandum on improving cybersecurity for critical infrastructure control systems.

Municipal water supplies also face significant threats, with hacks on systems in Kansas, Florida, and Texas. Cities don't often have the expertise or resources to secure systems well or monitor for these kinds of attacks, and the attackers only have to succeed once.

The stakes are especially high with these systems, points out Dave Masson, Director of Enterprise Security at Darktrace. Many CNI sectors rely heavily on operational technology (OT) systems.

Traditional IT attacks generally aim to steal or manipulate data, and while this can and often does have spillover consequences on the real world, OT attacks target physical systems directly.

"It can be something as simple as opening and closing a valve, but that could affect the flow of oil," Masson explains. Attacks on OT are all about stopping legitimate actions from taking place or starting unauthorised ones. "When that happens, critical national infrastructure then gets harmed."

Legacy OT systems were not built with security in mind – the prevailing idea at the time of their conception was that OT should be “air-gapped” – not connected to the internet.

In recent years, though, this has become unrealistic, and these systems are connecting to the internet as companies demand new functionality such as remote monitoring and management via the cloud. This presents a problem for organisations as their attack surfaces increase. Suddenly, networks that were safe from malicious network packets are now reachable.

A long history of CNI and OT attacks

Stories about attacks on OT might be hitting the headlines this year but they aren't new, points out Masson.

"For most people in the security industry, it probably began in about 2010 with the Stuxnet attack against the Natanz nuclear facility in Iran," he says. "That's really where people started to think about critical infrastructure being attacked."

In fact this is a trend that extends back far before that to at least 1903, when British magician Nevil Maskelyne crashed Guglielmo Marconi's attempt to demonstrate secure transmission of a radio message between Cornwall and London. Maskelyne broke in with his own morse code transmission which poked fun at the Italian inventor. It wasn't exactly show-stopping malware, but it was a precursor of things to come.

Since the turn of this century, more serious OT attacks targeting CNI have emerged. These range from the Russian attack on the Ukraine power grid, through to the Dragonfly campaigns on the energy sector in 2014 and 2017, and the targeting of ICS systems in the middle east by Triton malware.

Why OT attacks are so hard to stop

Where are we going wrong in the battle to protect our CNI? The problem lies in the gap between IT infrastructure and OT, explains Masson.

"The engineers who run operational technology aren't ignorant about this," he says. "The problem is they cannot react fast enough to the developments that are going on."

A lot of OT networks are fragile, he warns. These systems are not designed for updates at the cadence that IT admins are used to. Equipment might stay operational for years with few if any firmware updates. Patching a device could have a physical effect on a process with potentially catastrophic results, so it isn't something that OT admins do lightly.

The other problem is that you can't patch what you don't know about. With state actors behind many of these attacks, a proportion of them involve the use of zero-day vulnerabilities in target systems. That makes signature-based systems that scan for known malware footprints less effective, Masson says. In any case, virus scanners don't fit very well onto programmable logic controllers.

How AI can help

Darktrace's self-learning AI technology takes a different approach to this problem. Instead of scanning networks and endpoints for tell-tale signatures, it uses an unsupervised learning model that understands the ‘patterns of life’ of every device across the OT infrastructure. Masson describes it as understanding the 'self' of the industrial control system in the same way that the immune system understands what a healthy functioning body looks like.

The system then watches for changes in that system's behaviour, watching ICS components and what they're doing in real time. If it spots activities that deviates from the norm, it homes in on them as a white blood cell might target an infected cell in the body, attempting to put things to rights.

At this point, its solution can make its own decisions as part of an autonomous response, he explains.

"When there is a change, it can enforce what we call the original pattern of life. We can use AI to stop just that change without stopping anything else," he says. "We can do that in real time, and the response action is incredibly precise and targeted."

That's important from a CNI perspective because it enables a company to keep industrial control systems running, maintaining operations. That was the case with a European manufacturing client that Darktrace helped recently, which saw an attack on a PLC in its infrastructure.

The PLC, which had never scanned the network, began beaconing using the SMBv1 protocol, indicating an attempt at lateral movement. The company quickly took that device out of production and then used Darktrace's search facility to check for other instances of that behaviour. That eventually revealed 13 other infected devices. Automated investigation found that the ICS units were infected with the Yalove and Renocide malware.

Although the manufacturer was able to take some devices offline, it couldn't disconnect all of them because some were necessary for production. Masson explains that it used Darktrace to contain the threat while the company waited for the third-party vendor to fix the problem. It relied on the AI to alert it if the infected devices started to do anything potentially damaging.

Knock-on effects: IT and OT interdependence

The OT risk is growing as the barriers to entry drop. State actors might not be the only people targeting infrastructure anymore, Masson explains. While ransomware might not go after OT directly, it can affect infrastructure companies by hitting their administrative systems.

For example, when Colonial Pipeline suffered a ransomware attack in May, it hit the company's commercial systems rather than the OT infrastructure. The company suspended oil distribution as a precautionary measure.

AI can help here too, by thwarting attacks on the IT side before they affect operations. Masson recalls one Darktrace manufacturing client that suffered an attack on its IT systems. A new administrative account appeared on the network, and began establishing connections to various IT systems. Within an hour, the malware began exfiltrating data in what had all the hallmarks of a double extortion ransomware attack. The exfiltration used an IP address that had not been seen before.

While this customer had not deployed Darktrace's autonomous response, the technology alerted the company immediately that there was a problem, enabling it to keep an eye on everything. The attacker had done a poor network enumeration job, meaning that no critical data was stolen or encrypted. The company felt in full control of the situation.

"It had utter confidence that it could stop this attack," Masson recalls. "It started taking things off the network, but knew that it wasn't going to get into their OT infrastructure." It might be unsurprising that today, Darktrace protects organizations across all 16 critical infrastructure sectors designated by CISA.

CNI will only become more connected over time as the air gap between IT and OT closes. Companies face rising stakes as attackers look beyond their accounting data and customer records to rattle the doors on their industrial systems too. With that in mind, it might be time for infrastructure companies to test some new protection measures before the bad actors come calling.

Sponsored by Darktrace.