The Internet has changed the way we communicate and has helped create a global economy. But with great change comes great opportunity – one that malicious hackers have not been slow to exploit.
Critical infrastructure is a term used by the government to describe assets that are essential for the functioning of a society and economy (think oil and gas, water, electricity, telecommunication, etc.). According to the Department of Homeland Security, there are 16 sectors of critical infrastructure. In the past few years, we’ve seen attacks on departments of transportation, cities, and other network infrastructure that are prompting many cyber security leaders to pay closer attention to their readiness strategy and risk management. With the threat of cyberattacks against public and private sector infrastructure on the rise, it is important to understand the history of these attacks, as well as what critical infrastructure cyber security professionals can do to protect themselves against them. Today, we are going to focus on three sectors: oil and gas, energy and electricity, and transportation.
Oil & Gas Cyber Security
Much of how we live and work is dependent upon the energy produced from oil and gas production, including cooking, heating/cooling, driving, and use of electronic devices and appliances. There have been several successful attacks on this industry already:
- One of the most famous noted attacks came in 2010 with Stuxnet, a malicious computer worm used to hijack industrial control systems (ICS) around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
- In August 2012, an unauthorized user with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computer data and resulted in an immediate shutdown of the company’s internal network.
- National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
- Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations was remotely accessed by online attackers, manipulated to cause alerts, and set to shut down the flow of fuel. Several gas-tank-monitoring systems suffered electronic attacks thought to be instigated by hacktivist groups.
- In December 2018, Sapeim fell victim to a cyberattack that hit servers based in the Middle East, India, Aberdeen and Italy.The attack led to cancellation of important data and infrastructures.
Energy & Electricity Cyber Security
While we may not think of the energy sector as being a large cyber vulnerability, it is not only of intrinsic importance to a functioning society but necessary for all other sectors that make up the nation’s critical infrastructure.
There are not many documented cases of a successful power grid attack but that doesn’t mean they don’t occur! The first known instance taking place on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in the Ukraine and temporarily disrupt electric supply to end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.
Although there may not be many examples of historical energy utility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.
Transportation Cyber Security
Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP (gross domestic product), which includes monetary value of all goods and services produced within the United States. Over the past couple of years, the industry has grown in operational complexity with logistical chains, production, facility and manufacturing partners and plant management. As a result of this growth, it has become an even more alluring and accessible hacking playground for cybercriminals. There have been a few noteworthy attacks on this silo of infrastructure in the last few years:
- Maersk: Petyamalware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
- LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecieairport in June 2015.
- Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.
You can see that attacks on these silos of industry have already begun (and show no signs of stopping) and we need to be prepared for what the future holds. To lessen the attack surface vulnerabilities and protect critical infrastructure against cyber threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.
Reducing Risk in Critical Infrastructure Cyber Security
Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own IT and OT networks to be most effective. In fact, there are exercises within the cyber range platform that have players detect threats on a water treatment plant and in an oil and gas refinery. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in any critical infrastructure sector. Further, targeted training can be achieved from the library of battle room scenarios to work on specific skill sets like digital forensics, scripting and Linux.
Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kinds of learning include:
- Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
- Opportunities to close gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
- Risk mitigation and improved problem solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.
By placing the power of security in human hands, cyber security teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Humans are the last line of defense against today’s adversary, so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cyber security across these critical infrastructure sectors.
The number of women in cybersecurity is growing, but the field is far from gender parity. Circadence’s Keenan Skelly shares expertise on how to fill the skills gap and get more women in cyber.
Jumpstarting a new cyber security career path can feel like a daunting initiative, however, it may be more attainable than you think. By utilizing online cyber resources and persistent learning exercises, you can start learning everything you need to know to understand career options and land your dream job.
Virtual machines and digital libraries are great places to start on your cyber learning journey. A virtual machine is a software program or operating system that exhibits the behavior of a separate computer and is capable of performing tasks such as running applications and programs like a separate computer. This enables you to create multiple independent VMs environments on one physical machine and it aids in detecting things like malware and ransomware attacks. A digital library is an online platform that offers a diverse collection of cyber security learning objectives, along with an online database of digital materials like videos and reports.
Here are some resources that can help you pursue a career in cyber security:
- Oracle VM VirtualBox – this powerful virtualization product is for enterprise as well as home personal use. This is the best VM for home users and can be run on a multitude of operating systems.
- Kali Linux – this is an open source tool used in information security training and penetration testing services. Kali Linux is one tool available for use in our Project Ares platform for offensive skill building and practice.
- Security Onion Virtual Machine – this free and open sourced Linux distribution aids in intrusion detections, enterprise security monitoring, and log management. Security Onion is also available in Project Ares.
- Flare Virtual Machine – a freely available and open sourced Windows-based program that offers a fully configured platform with a comprehensive collection of Windows security tools.
- Cybrary – this community based digital library gives you the ability to collaborate in an open source way and create an ever-growing catalog of online courses and experiential tools to learn all things cyber security from offensive, defensive and governance.
- Clark Cybersecurity Library – a digital library that hosts a diverse collection of cyber security learning objectives from Intro to Cyber to Adversarial Thinking. It is a high-quality and high-availability repository for curricular resources in the cyber education community.
From entry level positions to cyber security professionals, digital libraries help in understanding cyber concepts and virtual machines allow learners to apply and hone cyber skills that security professionals use on the job such as risk management, information systems security, and network security.
To complete your well-rounded cyber education, pairing these tools with hands-on practice in cyber range like Project Ares is key.
Circadence’s own Project Ares uses gamified cyber range learning environments to emulate immersive and mission-specific network threats for a variety of cyber security work roles and job titles. The Project Ares platform is constantly evolving with new battle rooms and missions to address the latest threats and includes targeted training scenarios to learn specific skillsets. This platform also offers digital badges in its Academy license, which represent credentials that can be used to indicate a variety of accomplishments and skills. These are a great way to show a prospective employer just how much you’ve taught yourself about cyber security (and you can add them to your social profiles so prospective employers can see your skills)!
From concept learning to skills application, gamification paired with persistent, hands-on training in virtual environments is an ideal approach to understanding the ins and outs of complex cyber networks and how to recognize potential vulnerabilities in today’s evolving threat landscape. Pairing Project Ares with any of the aforementioned resources is a sure-fire way to kick off your cyber security career and prepare for security certifications!
The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.