In separate incidents, a US utility company and an Italian oil company have become the latest victims of cyber attacks, highlighting a growing threat to critical infrastructure in the industrial and manufacturing sectors.
On 4 October 2018, the Onslow Water and Sewer Authority (ONWASA) in Jacksonville, North Carolina fended off a ransomware attack, only to succumb to a second attack nine days later. ONWASA says water supply was unaffected by the attack and customer data was not compromised, however, the company had to resort to manual processes to deliver key customer services. The utility received a ransom demand, but opted to instead rebuild affected databases.
In December, Italian oil-services company Saipem SpA revealed that it had been affected by a cyber attack at its operations in the Middle East and UK, resulting in the shutdown of around 400 servers. The company is a supplier to Saudi Arabian oil giant Saudi Aramco, which was hit by the so-called Shamoon virus in 2012 and 2016.
WIDENING ATTACK SURFACE
As the cyber threat has evolved in recent years, attacks against critical infrastructure and industrial companies have become more prevalent and sophisticated. Organisations have fallen victim to ransomware and malware attacks, as well as targeted cyber attacks linked to nation states.
According to Kaspersky, conventional malware and virus outbreaks are becoming more and more problematic, with increasing connectivity of operational technology (OT) and industrial control systems to IT networks. It also predicts that the attack surface will most likely increase, as many companies are only just embarking on the process of digital transformation.
The cyber security firm’s State of Industrial Cybersecurity 2018 report found that targeted attacks and advanced persistent threats (APTs) are the biggest concern, followed closely by malware and ransomware attacks. Of the companies that had been affected by a cyber attack in the last 12 months, 64% have experienced a malware attack, 30% a ransomware attack and 16% a targeted attack.
The recent attacks come almost a year after a cyber security firm revealed a landmark attack against a petro chemical facility in the Middle East. The attack, believed to be the first attack to successfully shutdown safety systems, used Triton; a family of malware developed specifically to target industrial control systems. The attack was initially thought to have originated in Iran, but was recently linked to Russia.
Hackers and nation state groups have been targeting industrial control systems for almost a decade-The Stuxnet worm caused substantial physical damage to equipment used by Iran to enrich uranium in 2010, in what was widely thought to be the first example of a virus successfully targeting supervisory control and data acquisition (SCADA) systems.
In 2013, Iranian hackers allegedly took control of the Bowman Dam in Rye, New York, while Ukraine’s power grid was disrupted in 2015 and 2016 when hackers accessed their SCADA systems. In 2014, hackers took control of industrial systems at a German steel mill, causing significant damage to a blast furnace.
More recently, Symantec found that hackers were targeting the industrial control systems of European and US energy companies. A group known as Dragonfly have been probing organisations in the US, Turkey and Switzerland, using social engineering and malware to access systems and gather information, potentially to carry out sabotage at a later date.
Industrial companies and critical infrastructure are also vulnerable to malware attacks, both targeted attacks and global outbreaks. Last year the WannaCry and NotPetya global malware attacks caused widespread disruption to industry, impacting FedEx, Deutsche Bahn, Maersk and many other companies. Port terminals closed and a number of manufacturing companies, including car manufacturers, food and consumer goods groups, were forced to shut down their systems and halt production.
Variations of the malware have since affected Boeing, while a computer virus resulted in the temporary closure of factories operated by Taiwan Semiconductor Manufacturing, a supplier to Apple and other tech companies. Earlier this year, ports in the US and Europe, as well as a Chinese shipping company, were hit by ransomware attacks.
According to Kaspersky, OT and industrial control system (ICS) cybersecurity are a priority for the majority (76%) of firms it surveyed, but organisations still have a long way to go with regards to cyber security.
Some 46% of companies surveyed by the State of Industrial Cybersecurity 2018 experienced a cyber incident in the past 12 months, while 10% still do not record the number of breaches. Over three quarters of companies believe they are likely to become a target of a cybersecurity attack in the OT / ICS space.
Of those companies that experienced a cyber attack in the past 12 months, 54% noticed damage to their products or services, a significant increase from 29% in the 2017 survey. Just under a quarter (22%) of the companies surveyed experienced a loss of contracts or business opportunities, while 15% suffered damage to equipment, both of which can impact the bottom line.
Worryingly, however, only 23% are compliant with minimal mandatory industry, or government guidance and regulations around cybersecurity of ICS. Kaspersky also found that compliance with voluntary industry, government guidance or regulations has reduced as organisations focus their resources on mandatory cybersecurity requirements, and because of an ICS cyber security skills shortage. Some 58% of companies are finding it a challenge to hire ICS cybersecurity employees with the right skills, while 50% find it challenging to hire suitable partners and service providers to implement ICS solutions.
According to CyberX, a cyber security firm specialising in ICS, major security gaps remain in key areas such as; plain-text passwords, direct connections to the internet, and weak anti-virus protections. CyberX’s Global ICS & IIoT Risk Report, which studies more than 850 production ICS networks across six continents, found that 40% of sites have at least one direct connection to public internet and that 57% are still not running any anti-virus protections that update signatures automatically. It also found that 53% of sites have outdated Windows systems like XP - systems that no longer receive security patches from Microsoft.
Download Cyber Decoder
For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.