The new wave of cyber security threats facing critical national infrastructure (CNI)

Power lines with a computerized grid surrounding them

In 2010, researchers discovered a powerful computer worm targeting critical national infrastructure (CNI). The worm – Stuxnet – was part of a huge cyber attack on an Iranian uranium enrichment plant, allegedly perpetrated by the US and Israel in a joint effort to derail the country’s nuclear programme. As the Stuxnet assault demonstrated, attacks on CNI can have very physical consequences. Amid an increasingly unstable geopolitical climate, this has prompted warnings about the risk posed to CNI systems.

In April, US government agencies issued a joint statement, saying hackers are making custom tools targeting the industrial control systems (ICS) underpinning CNI to gain “full system access”. The agencies urged critical infrastructure organisations to shore up cyber security immediately to protect systems from attack.

In the UK, regulations including the Network and Infrastructure Security Regulations (NIS) and roadmaps such as the National Cyber Strategy 2022 aim to ensure CNI is as secure as possible from a cyber attack. It’s especially important as the risk grows from aggressive nation state powers such as Russia. Indeed, Ukraine says Russia has been targeting its CNI since the conflict began. How significant is the risk from hackers targeting CNI, and how can organisations boost their defences to ward off cyber attacks?

Bringing SCADA online

The challenge with supervisory control and data acquisition (SCADA) systems underpinning critical infrastructure such as power stations is that they were built long before such systems were connected to the internet.

These isolated industrial systems of the past were “incredibly secure”, says Dr Simon Wiseman, CTO at Deep Secure by Forcepoint. “While they still had vulnerabilities, exploiting them generally required gaining physical access.”


Deliver a modernised end-user experience that pays for itself

Start modernising PC lifecycle management today


CNI, however, later began to distribute processing across stations connected through a network to increase their scope, says Dave Harvey, UK head of cyber security, FTI Consulting.

Connecting to the internet offered reduced costs and increased flexibility, but it also exposed a new and risky attack surface. “As SCADA networks were no longer isolated, threat actors could potentially access systems,” Harvey says. Adding to this, he continues, cyber security was often overlooked in early SCADA generations. “They were sold as ‘turnkey’ packages, meaning the end user did not know what was inside and needed patching.”

The complexity in securing CNI makes it no surprise that the area has become a prime target for attack. Since Stuxnet, multiple incidents involving specialist malware have emerged. In 2017, an attack utilising the Triton malware, which targeted Schneider Electric’s Triconex Safety Instrumented System controllers, resulted in the shutdown of a petrochemical company in Saudi Arabia.

Last year, a ransomware attack on the Colonial Pipeline caused widespread issues across the US. “The Colonial Pipeline ransomware attack stands out because it was so damaging,” says Martin Riley, director of managed security services at Bridewell Consulting.

Attacks on Ukraine’s power grid in 2015 and 2016 also had a huge impact, resulting in blackouts across the country. The Industroyer malware used in the 2016 attack is designed to give attackers access to systems controlling operational equipment.

The CNI-targeting strains breaking onto the scene

CNI attack tools continue to be developed. Riley cites the example of a new malware named Pipedream, which does not exploit any vulnerabilities to compromise target systems. Instead, it interacts with industrial computers called programmable logic controllers using Modbus and Codesys, two common industrial protocols.

The malware's ability to leverage native functionality makes it hard to spot. “It has not yet been seen in a successful attack, but has the hallmarks and capability to be used to great effect in any industrial control system environment,” Riley warns.

Another newly-discovered malware is named Incontroller, which cyber security firm Mandiant says has “an exceptionally rare and dangerous cyber attack capability”.

The threat from CNI stems from the fact that a successful attack could be devastating in the most physical sense, potentially endangering lives. Increased connectivity into operational technology (OT) and bridging into previously air-gapped environments furthers the risk, says Riley.

As CNI becomes increasingly digitised, the risk is “significant” and “continues to grow”, agrees Harvey. “The consequences of a cyber-attack on CNI are greater than any other industry. This would create mass destruction, comparable to a weapon of mass destruction, that would leave organisations unable to operate.”

Many variables drive the threat, including geopolitical instability as well as technological changes such as the Internet of Things (IoT).

The increasingly digital supply chain is also a threat. Third party connections add further risk by “providing an entry point to the main target”, Harvey says.

Countering CNI threats in a digitised world

To build resilience, organisations must understand their exposure, including the risk, threats, and likelihood of attack, says Harvey. He advises firms to complete criticality reviews and map dependencies within CNI and its supply chains to “fully understand their digital ecosystem and where risk lies”. This should include who has access to data, and what would happen if the supply chain became compromised. At the same time, leveraging advanced threat intelligence tools and their capabilities is “invaluable”, he adds.

Protecting CNI should involve integrating IT and OT networks, experts advise. “This can be accomplished by leveraging programme assessments to identify vulnerabilities so legacy systems can first be secured,” Harvey continues. He advises future-proofing operations through a “security-focused, agile infrastructure”.

It’s important not to lose sight of cyber security basics, says Riley. “You need to ensure full visibility of all systems, without impacting operations.”

This means understanding which sites, plants and systems need the greatest controls. “While risk management surrounding these will have been done for many years, cyber security and architecture must be considered as transformation initiatives such as automation continue,” says Riley.

CNI firms need to ensure they are as secure as possible to avoid future threats. Costa Rica’s recent declaration of a state of national emergency after government systems were held to ransom shows a near future where large-scale ransomware attacks against CNI sectors are “a very real reality”, says Will Dixon, director of the academy and community at ISTARI.

Indeed, data-locking ransomware is impacting all sectors, including CNI where the consequences can be particularly devastating. In the future, SANS institute instructor Christopher Robinson thinks there will be more instances of ransomware affecting CNI systems, “even if not directly”.


Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure


Riley agrees: “As investment in ICS specific malware continues, ransomware may take on another form across CNI, where industrial control systems are held to ransom, or destroyed through attacks,” he predicts.

This is set against a backdrop of a widening attack surface, which will also elevate the threat. “The threats to systems will continue to surge as businesses connect CNI to other networks such as cloud, attackers develop better toolsets, and the interdependency between enterprise and CNI networks increases,” says Robinson.

It’s already leading to increasing regulation around CNI, and experts predict this will continue. Harvey cites the example of the EU’s NIS2 directive, which aims to strengthen cyber security requirements, address supply chain threats, and introduce accountability for non-compliance. “This will likely lead to improved reporting and information sharing, akin to the financial services sector.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.