Over the past seven years, ransomware has emerged as a troublesome menace that has shut down manufacturing plants, hospitals, local municipalities, schools, universities around the world. Ransomware is on the rampage, with so many attacks taking place one after the other with more sinister plans – wherein they intentionally tamper the Industrial Control Systems (ICS) of critical infrastructure such as electric power grids and gas refineries which they highly rely on to keep systems running flawlessly and safely. The Methodology adopted by the ransomware groups is to encrypt files on the target systems, encrypt the files, and hold the files for ransom until the victim pays and also exhilarate data and negotiate with companies to pay up or else they scare them to sell the data on Darknet and tarnish the image of the company.
IT and OT network boundaries have increasingly blurred. Though, OT networks rarely require any outside network connectivity to operate seamlessly, however, they are frequently connected for updates and patches without at times proper consideration of the true risk and threats, that it may pose to the business.
This has led to a situation where truly an air gap between IT and OT networks that once protected several OT networks has disappeared and more so due to the current situation due to COVID-19 where Operating staff had to forceful move out of the control centres and partially monitored the OT systems remotely .
Hackers tend to launch very focused cyber-attacks using specially coded malware to drop ransomware payloads written explicitly to target industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Human Machine Interfaces (HMI) that are the most critical components in OT Systems, that keep systems functioning. Presently situation is that many critical infrastructures such as power grids, industrial manufacturing plants, and others are not equipped to deal with cyber threats. At times cybersecurity is often understood only in terms of IT and securing OT networks is not the priority.
Any device that is connected to a network whether IT or OT, presumably is susceptible for hackers to gain access to and launch a cyber-attack. Therefore, securing the critical infrastructure has to the top priority for organizations. In reality, all the networked devices and systems are highly prone and vulnerable and create a huge threat surface for hackers to attack. When these devices are installed in high-risk environments like critical infrastructure, the consequences of such data breaches are more far-reaching with long-term ramifications. It is essential that any networked devices that are added to the critical infrastructure should be well planned and should not increase the cyber threat landscape. Any let-up in systematic planning to protect the overall systems against cyber attacks could lead to catastrophic effects.
Recently, on 08th May 2021, Colonial Pipeline reported a cyber-attack that has resulted in halting fuel pipeline operations to the East Coast.
Latest Attack on Colonial Pipeline. Colonial Pipeline operates more than 5,500 miles’ of pipeline for fuel supplies from Texas to New Jersey and fulfills approximately 45% of the fuel requirements of the East Coast, including gasoline and jet fuel. A couple of states such as Georgia, South Carolina, North Carolina, and Virginia are highly vulnerable as they have limited options of fuel transportation alternatives. As regards the impact on air travel due to this cyber-attack -Colonial Pipeline carries jet fuel as well and American Airlines had to reroute two of its long-haul flights from Charlotte, North Carolina due to possible fuel shortages. Passengers flying to Honolulu were required to change aircraft in Dallas, and those heading to London had do a stopover in Boston for refuelling. There were emergencies of similar nature, thereby, pushing everyone into panicking mode.
Detection: Colonial Pipeline in the U.S. detected that they were the victim of a Ransomware Cyber Attack on 07 May 2021.
Adversary: This cyber-attack was carried out possibly by “DarkSide” cyber group known for targeted ransomware attacks. DarkSide, allegedly is an Eastern European-based cybercriminal group suspected of carrying out cyber-attack and has conveyed in a notice that its motivation was purely financial. DarkSide Hackers Group supposedly operates out of Russia. The note explicitly states that their goal is to make money and not creating problems for society, thus, Indicating, how organized and focused Darkside hacker groups is.
Impact: Colonial Pipeline was forced to stop all its pipeline operations to contain the cyber-attack. In addition, a couple of IT systems were also affected. The ramifications of the cyber-attack were that it triggered panic-buying of gasoline throughout the Southeastern U.S.
Remediation and Recovery: Colonial Pipeline is closely working with a cybersecurity firm, reportedly FireEye, to investigate this Ransomware attack and methods to resolve the issue.
End Result: Colonial Pipeline most likely has Paid Hackers Nearly $5 Million in Ransom for permitting the critical fuel-shipping system to restart after the Darkside hackers had seized control.
Similarly, in 2020, another natural gas compression facility in the U.S. became victim to ransomware, forcing the company to shut its operations down for two days. That ransomware attack resulted in the shutdown of the gas pipeline for two days as the company was working to bring back the systems online from the backups. That cyber-attack initially started on the IT side of the networks, with the initial access to the Windows Active Directory (AD) to gain widespread access to the victim’s entire network, and thereafter proliferated onto the OT network and eventually infiltrated into the command and communication assets.
In this Ransomware attack, hackers had successfully spear-phished an employee to gain initial access into the network. After the initial access on the IT side of the network, cyber attackers were successful in deploying “commodity ransomware” to encrypt data on both sides of the network i.e. IT as well OT. The basic flaw by the company was, their networks lacked network segmentation between IT and OT portions of the infrastructure, which led to cyber attackers able to launch a successful cyber-attack and encrypt data.
While we see Ransomware attacks increasing multi-fold all over the world, Indian Critical Infrastructure too is vulnerable. Recently, Recorded Future, a cyber-security firm, raised concern of an increase in cyber intrusions attempts from China to target India’s critical infrastructure – electricity grids and seaports. China-linked threat activity group ‘RedEcho’, targeted the Indian power grid sector and seaports through malware conducted number of campaigns to target them. This type of deliberate targeting of India’s power grids and financial infrastructure by china is very unusual and concerning.
Cyber-attack on Indian critical infrastructure is not new, in recent past, Kudankulam Nuclear Power Plant was cyber-attacked by suspected North Korea-based hackers in September 2019 was intended specifically for info theft.
India has to now really work on a fast-track mode to safeguard its critical infrastructure from cyber-attacks. There may also be a need to look into the likely supply chain attacks in critical infrastructure. In case, anyone in the complete supply chain is hacked, entire systems would be compromised.
Unfortunately, those who are responsible for managing cybersecurity aspects often overlook the operational constraints in sectors such as energy, manufacturing, healthcare, or transport considering these networks to be air-gapped and void of getting cyber attacked. However, with the proliferation of IIOT devices in the last couple of years, we are seeing a growth of connected devices that have accelerated the convergence of the once separated IT and OT Networks.
It is a point of concern to immediately plan the cybersecurity and protect Critical Infrastructure from cyber threats. It is right time to leverage on artificial intelligence and machine learning that can assist in automating the detection and response to improve cyber defences. Newer innovations in cybersecurity solution for endpoints, firewalls, antivirus software, and encryption can also be factored in to harden critical assets against attacks as there is an immediate need to harden OT networks and control systems against vulnerabilities that can be introduced through IT networks else OT networks would remain at indefensible levels of cyber risks.
Col. Inderjeet Singh Brar is an expert in encryption and block chain technology.
©️ The content of this Article is intellectual property of The 4th Estate and can not be used except with prior written consent of the Editor, The 4th Estate.
