A segmentation of the Information Technology and Operational Technology networks would not be able to protect critical infrastructure if humans remain incapacitated and continue making errors.
The US Cybersecurity and Infrastructure Agency (CISA) recently reported that it had responded to the ransomware attack on a natural gas facility, forcing it to shut it down for two days as it struggled to recover.
The cyberattack affected the control and communication assets on the operational technology (OT) network of a natural gas compression facility. According to CISA, a cyber threat actor has used a ‘spear phishing’ link to obtain initial access to the company’s information technology (IT) network before pivoting to the OT network.
The attack happened because the threat actor managed to transition from the gas compression facility’s IT network onto the OT network when an employee mistakenly clicked on a malicious email link. This allowed the perpetrator to deploy commodity ransomware and ‘encrypt data for impact’ on both networks.
A closer analysis of the above news points out to a dichotomic problem. One side of the dichotomy refers to the technological cybersecurity malfunction and the other indicates the human (unfortunate) involvement that facilitated the incident.
Attacking critical infrastructure
As we recently reported, there are many known worldwide cases of attacks on critical infrastructure.
The cyber-attack on the Ukrainian power grid in 2015 and 2016 left hundreds of thousands of people without electricity for hours. In December 2017, another successful cyber-attack against the Ukrainian power grid caused power outages that impacted over 200,000 people.
A very recent power outrage in Venezuela, also caused by successful cyber-attacks, left in the dark millions of people. It affected the electricity sector in Venezuela in most of its 23 states, causing serious problems in hospitals and clinics, industry, transport and water service. The Venezuelans needed five days to only partially restore the power supply.
The escalation of a digital Cold War at the present days exponentially increases possibilities of attacks on the adversaries’ national critical infrastructure. “Cyber-attacks will increasingly be used as proxy conflicts between smaller countries, funded and enabled by large nations that are looking to consolidate and extend their spheres of influence. This was seen in the recent US cyber operations against Iran, following attacks on Saudi Arabia’s oil facilities,” warns the cybersecurity company Check Point.
The attack on the US natural gas compression facility only shows a continuation of the global trend. According to CISA, the effect of the attack on the gas compression facility was “significant as the impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial loss of view for human operators”.
Technologically, the success of the attack was attributed to the critical failure of not segmenting the IT and OT networks although the technology for the segmentation already exists and is called ‘data diodes’. This technology allows network telemetry and communications out to the IT monitoring system but not back in OT – hence protecting the OT infrastructure.
Humans, the weakest cybersecurity link
On the other side of the dichotomy, the enabler of the attack was an accidental human error. It was not surprising for us as we recently warned that the human factor is and will be a perpetual cybersecurity problem in a foreseeable future.
Unaware and untrained employees are seen as a significant cybersecurity problem since most attacks are designed to take advantage of human errors rather than flaws in software. Whether people click on malicious links or accept fraudulent emails, organisations face critical security consequences due to employee errors, warns Kaspersky Lab.
The attacking technique ‘spear phishing’, which has been used in the attack on the natural gas compression facility, is now becoming the new normal. This method entails the multi-stage process of careful observations and a collection of relevant data and information. This is finally followed by a well-designed email format, which plays both on emotions and instinct of the victim.
Distressing is the fact that phishing is still one of the three major concerns of cybersecurity professionals. The 2019 Data Breach Investigations Report confirms that 90% of cyber-attacks start with phishing morphed into attacks that are beyond all recognition.
As phishing emails are getting increasingly convincing so the number of these attacks increased by nearly 300% in 2018! The email phishing accounted for 90% of data breaches in 2019, causing an average financial cost of USD 3.86 million per data breach, according to IBM.
Bad habituation of employees is generally explored by hackers by sending out about 156 million phishing emails every day. This results in more than 80,000 people falling victims to phishing emails daily.
As we recently discoursed, a number of studies confirmed that people often have a tendency to find ways to work around organisational cybersecurity policies. This is actually not something that they do on purpose but rather based on their habits.
Being successfully phished is already a big problem but even greater worry represent the fact that 15% of people previously phished will be targeted at least one more time within the year.
Is than making employees aware of the cyber dangers enough? We disagree. Although an important part of improving organisational cybersecurity posture, awareness is just the beginning of the process that should lead to the behaviour change.
However, we believe that changing behaviour requires more than providing information about risks and reactive behaviours. Firstly, people must be able to understand and apply the advice and, secondly, they must be motivated and willing to do so. The latter requires changes in attitudes and intentions.
The key factor in raising awareness and changing people’s behaviour is motivation. If we want people to behave in a certain way we need to motivate them. In other words, we have to understand why employees do certain things and then to select an optimal persuasion method for changing their behaviour. That also includes identifying the behavioural drivers.
Capacitating people to digitally protect national critical infrastructure is of the utmost importance for every country. This is particularly vital for counters such as South Africa where the situation with the power supply remains tight and volatile and may incur further load shadings should the situation deteriorate.
An extra worrying fact for South Africans was the recent news that the State security minister, her deputy and several people within the ministry had their phones cloned by unknown suspects! The South African government, therefore, must scrutinise its own digital security as well as its capacity to protect the national critical infrastructure.
Hence, we ought to reiterate our recent warning that the attacks on the critical infrastructure and the cyber-related blackouts are looming possibilities. If not addressed seriously, the South African reality can turn into nightmares for years to come.