AI
Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Management & Strategy
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure-by-Design
Supply Chain Security
Tech Solutions
Threat Landscape
Vulnerabilities

Global alarm intensifies as state-sponsored cyberattacks raise risks to critical infrastructure, national security

May 12, 2024
Global alarm intensifies as state-sponsored cyberattacks raise risks to critical infrastructure, national security

​​State-sponsored hacker groups’ recent increase in cyberattacks on critical infrastructure has sparked global alarm. These coordinated and sophisticated cybersecurity threats and attacks present serious risks to national security and public safety. Essential systems like power grids, healthcare systems, and water treatment plants are at heightened risk of disruption or manipulation, underscoring the critical importance of implementing strong cybersecurity measures.

The U.S. currently faces an unprecedented ‘era of strategic competition’ with nation-state actors who target American critical infrastructure and tolerate or enable malicious actions conducted by non-state actors. Adversaries target critical infrastructure using licit and illicit means. In the event of a crisis or conflict, the nation’s adversaries will also likely increase their efforts to compromise critical infrastructure to undermine the will of the American public and jeopardize the projection of U.S. military power. 

The prevailing threat landscape has led to the U.S. administration advancing its national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. Addressing these threats and attacks requires international cooperation, stringent regulations, and investment in advanced cybersecurity technologies. Additionally, enhancing public awareness about cyber threats and promoting cyber hygiene practices are crucial steps toward mitigating the risks posed by state-sponsored cyberattacks on critical infrastructure.

Beyond the U.S., the European Union Agency for Cybersecurity (ENISA) released an executive summary of the ‘Foresight Cybersecurity Threats for 2030,’ highlighting the top 10 emerging threats. This study revisits the previously identified threats and trends, providing insights into the evolving cybersecurity landscape. The report details that by addressing issues like supply chain compromises, skill shortages, digital surveillance, and AI abuse, the study contributes to the development of robust cybersecurity frameworks and best practices to combat emerging threats by 2030.

Earlier this year, the U.K. National Cyber Security Centre (NCSC) issued a report on the potential impact of artificial intelligence (AI) on the global ransomware threat. The report warns that the increasing use of AI is likely to escalate the frequency and severity of cyber-attacks in the future. The NCSC advises organizations and individuals to enhance their cybersecurity measures proactively. Additionally, the report discusses how AI will impact cyber operations, particularly in social engineering and malware, highlighting the importance of maintaining heightened vigilance against evolving cyber threats.

Analysis of surge in cyberattacks on US critical infrastructure

Industrial Cyber consulted industrial cybersecurity experts to identify the primary factors driving the recent increase in cyberattacks on critical infrastructure in the U.S. Additionally, they investigated how state-sponsored hacker groups are infiltrating and compromising sensitive systems within the country.

Harshal Haridas, chief architect for Honeywell OT CybersecurityHarshal Haridas, chief architect for Honeywell OT Cybersecurity
Harshal Haridas, chief architect for Honeywell OT Cybersecurity

“One key factor has been the expansion of connected systems due to the IT/OT convergence, where organizations are having their OT cybersecurity roll under central IT structures. Another factor has been the wider adoption of remote access driven after COVID,” Harshal Haridas, chief architect for Honeywell OT Cybersecurity, told Industrial Cyber. “A lot of attacks involve malware that are often deployed via USB devices. State-sponsored hackers are also using AI to enable more of their capabilities in penetrating sensitive systems.”

Bryce Livingston, a senior adversary hunter at Dragos, said that the perceived surge in cyberattacks can likely be attributed to several interconnected factors: elevated geopolitical tensions in multiple regions across the globe, in addition to continued growth in the global cybercriminal ecosystem, where we see specialized criminal economies of scale emerging. “This specialization has lowered the barrier to entry for engaging in cybercrime.” 

Bryce Livingston, a senior adversary hunter at Dragos
Bryce Livingston, a senior adversary hunter at Dragos

Additionally, Livingston pointed out that “we see the increasing use of cyberattacks by hacktivist personas to influence perceptions around certain events. Nevertheless, despite evolving adversary tactics, most attacks exploit persistent vulnerabilities such as outdated software or inadequate network visibility. As long as these vulnerabilities exist, they will continue to be targets for exploitation.”

Iran and Russia told us they hacked the systems,” industrial cybersecurity expert Joe Weiss told Industrial Cyber. “The question not being asked is, ‘Have there been un-reported control system cyber incidents occurring in water and other sectors?’ The answer is, ‘Many, but it is not clear if they were ‘unintentional’ or cyberattacks that were not identified as such.’ 

Joseph Weiss, Managing Partner at Applied Control Solutions
Joseph Weiss, Managing Partner at Applied Control Solutions

He highlighted that this lack of awareness of control system cyber incidents was evident at RSA. “The container ship Dali that crashed in Baltimore Harbor is an example of whether an event is a sequence of several coincidences all taking place at the right time or an orchestrated and coordinated cyberattack.” 

“For IT, that is a question that hasn’t been fully answered since the SolarWinds attack,” Weiss added. “For control systems, it is much easier to penetrate and compromise critical infrastructures as there is little to no cyber security in control system field devices and no cyber security training to address these issues. Russia, China, and Iran are aware of these gaps and are exploiting them. Making matters worse, the cyber defenders are not addressing these devices, which was very evident at RSA.”

Implications of cyberattacks on national security and public safety

The executives discuss the potential implications of these cyberattacks on national security and public safety. They also consider the long-term consequences of these attacks on public trust in the security of critical infrastructure systems.

Haridas said that many of the hackers want to disrupt key services such as electricity, water, internet,  and energy. “While some cyberattacks have had financial motives, others clearly were attempts to shut down utilities, take control of critical services, or hack personal information of voters. So whether an attack is intended simply to disrupt utilities, government systems or such, they could lead to a decrease in public trust.”

Livingston outlined that the implications of these attacks are potentially serious. “The severity of risk varies by sector, with some industries facing severe scenarios. Regarding public trust, it’s premature to say that there is a loss of confidence in the security of U.S. critical infrastructure. Most people don’t generally think about the infrastructure they rely on, which is a testament to the reliability engineered into these systems. Nevertheless, the visibility and frequency of these cyberattacks pose a public perception risk.” 

“In the future, we are likely to continue to see shifts in both public and governmental perception towards recognizing increased cybersecurity risks,” Livingston added. “This recognition ideally spurs greater investment in cybersecurity for critical infrastructure. The ideal is reducing risks to manageable levels, maintaining public trust, and ensuring critical infrastructure reliability.”

Weiss said It should be evident that compromising critical infrastructures can have a significant impact on national security and public safety. “The lack of public trust starts when a significant event such as the Dali striking the Key Bridge occurs and the government early on says it wasn’t a cyberattack without any analysis or justification. It takes a long time and a very detailed analysis to make that decision. While at RSA, I had discussions with the FBI and others on that subject,” he added.

Diving into US government response to cyber threats in critical infrastructure

The cybersecurity experts analyze how the US government is responding to cyber threats and the measures being implemented to bolster cybersecurity in critical infrastructure sectors. They also focus on identifying any patterns or trends in the methods and tactics employed by state-sponsored hacker groups when targeting US critical infrastructure.

Weiss said that the government response is treating these incidents as network security issues and poor cyber hygiene. “The Iranian hack of Unitronics controllers is a good example of this singular focus on Internet Protocol (IP) networks. Unitronics is an all-in-one controller which means the HMI and controller logic are in the same box. However, the government response was only to address network issues and not check the possible compromise of the control logic, i.e., Stuxnet.” 

“Again, it was evident from the discussions at RSA that cyber issues with Level 0 devices (process sensors, actuators, and drives) are not being addressed,” Weiss pointed out. “Except for a senior person at NSA, it was the first time the people I met at RSA had even been aware of that issue and that includes many government officials.” 

He further added from “what I am aware, Iran, China, and Russia are exploiting known control system cyber weaknesses including field devices. There have been two Presidential Executive Orders on Chinese compromises of critical equipment used in US critical infrastructure.”

Haridas said that the U.S. government continues to support cybersecurity resiliency through executive orders, directives, and regulations. “It also has agencies that advise organizations through bulletins on threats and may offer national security resources to help investigate when critical infrastructure has been breached. Measures taken by industry to enhance cybersecurity include adoption of asset discovery and vulnerability management software to understand the exposure and risk for critical infrastructure deployments.”

“Honeywell’s recently released 2024 USB Threat Report revealed that we are seeing more longer-term silent residency from sophisticated hackers who bury themselves into key operational systems via malware to observe and learn,” according to Haridas. “At the same time, our research indicates that 82% of malware is capable of causing disruption to industrial operations, potentially resulting in loss of view, loss of control, or OT system outages.”

Livingston noted that the U.S. government is responding to the recent cyber attacks on critical infrastructure, including water utilities, in coordination with industry, as well as international partners. “This includes the owners and operators in the targeted sectors, as well as the vendor and cybersecurity service provider community.” 

“The Cybersecurity and Infrastructure Security Agency, the National Security Agency, and others have released multi-seal advisories about the observed threats and tactics, as well as mitigation measures in order for critical infrastructure owners and operators to take action,” according to Livingston. “And through things like the NSA Cybersecurity Collaboration Center and CISA’s Joint Cyber Defense Collaborative, we are more than ever seeing the importance of bringing industry into the fold to protect the nation’s infrastructure.”

He added that many of the recent attacks that we’ve seen, especially in the water sector, have used relatively unsophisticated tactics, including exploiting things like default passwords. “This highlights the importance of basic cybersecurity protections, especially in OT environments, including the 5 Critical Controls.”

Role of emerging technologies in strengthening cybersecurity defenses

The executives explore how emerging technologies such as artificial intelligence and blockchain can enhance cybersecurity defenses against state-sponsored cyberattacks.

“Hackers have focused a lot of attention on critical infrastructure as a prime target, and prior attacks often required in-depth understanding,” according to Haridas. “AI can lower the complexity bar to enable less experienced hackers in generating malware and initiate sophisticated phishing attacks. So this changes the OT threat landscape where we may need to implement AI to defend against AI.”

Livingston said that emerging technologies show the potential to improve security across sectors. “AI could assist cybersecurity teams by reducing repetitive workloads, for example. Blockchain technology can offer improvements in data integrity. However, these technologies are not panaceas. The foundational aspects of cybersecurity remain far more important and impactful for the majority of organizations.” 

“AI can be a help or a hindrance depending on how the data is trusted and analyzed,” Weiss weighed in. “If AI assumes the process sensor inputs are uncompromised, authenticated, and correct, AI will lead us down the wrong path. Blockchain doesn’t apply to control systems operations but can apply to the process sensor data.”

Impact of cyberattacks on international relations and geopolitics

When examining the impact of cyberattacks on international relations and geopolitics, specifically regarding diplomatic tensions and cybersecurity cooperation efforts, Livingston noted that heightened tensions do not create a conducive environment for international diplomacy or cybersecurity collaboration. “Moreover, we’ve seen a steady trickle of indictments and cybersecurity advisories emanating from the U.S. government indicating concern with operations they allege emanate from Russia, China, and Iran.” 

While these declarations reflect growing governmental concerns, the secretive nature of cyber operations means that understanding their impact on diplomacy and international relations remains speculative, Livingston concluded.

Anna Ribeiro

Related

CISA outlines forward-looking National Plan for critical infrastructure security and resilience
CISA outlines forward-looking National Plan for critical infrastructure security and resilience
GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures
GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST launches ARIA program to assess societal impacts, ensure trustworthy AI systems
DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards
DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards
EU releases Network Code on Cybersecurity for electricity sector to boost resilience, cross-border protection
EU releases Network Code on Cybersecurity for electricity sector to boost resilience, cross-border protection
NATO conducts initial meeting for undersea infrastructure network to boost security against rising threats
NATO conducts initial meeting for undersea infrastructure network to boost security against rising threats
BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors
BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors
Strengthening industrial supply chain security by addressing challenges, strategies, collaborative initiatives
Strengthening industrial supply chain security by addressing challenges, strategies, collaborative initiatives
New Diverse Cybersecurity Workforce bill to promote inclusivity, provide CISA with millions for outreach
New Diverse Cybersecurity Workforce bill to promote inclusivity, provide CISA with millions for outreach
Claroty reports critical OT assets vulnerable to internet exploitation; release of xDome Secure Access
Claroty reports critical OT assets vulnerable to internet exploitation; release of xDome Secure Access