Cyber Attacks and Risk Mitigation in Critical Infrastructure

Critical infrastructure is a term used by the government to describe assets that are essential for the functioning of a society and economy (think oil and gas, water, electricity, telecommunication, etc.). According to the Department of Homeland Security, there are 16 sectors of critical infrastructure. In the past few years, we’ve seen attacks on departments of transportation, cities, and other network infrastructure that are prompting many cyber security leaders to pay closer attention to their readiness strategy and risk management. With the threat of cyberattacks against public and private sector infrastructure on the rise, it is important to understand the history of these attacks, as well as what critical infrastructure cyber security professionals can do to protect themselves against them. Today, we are going to focus on three sectors: oil and gas, energy and electricity, and transportation.

Oil & Gas Cyber Security

Much of how we live and work is dependent upon the energy produced from oil and gas production, including cooking, heating/cooling, driving, and use of electronic devices and appliances. There have been several successful attacks on this industry already:

  • One of the most famous noted attacks came in 2010 with Stuxnet, a malicious computer worm used to hijack industrial control systems (ICS) around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, an unauthorized user with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computer data and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations was remotely accessed by online attackers, manipulated to cause alerts, and set to shut down the flow of fuel. Several gas-tank-monitoring systems suffered electronic attacks thought to be instigated by hacktivist groups.
  • In December 2018, Sapeim fell victim to a cyberattack that hit servers based in the Middle East, India, Aberdeen and Italy.The attack led to cancellation of important data and infrastructures.

Energy & Electricity Cyber Security

While we may not think of the energy sector as being a large cyber vulnerability, it is not only of intrinsic importance to a functioning society but necessary for all other sectors that make up the nation’s critical infrastructure.

There are not many documented cases of a successful power grid attack but that doesn’t mean they don’t occur! The first known instance taking place on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in the Ukraine and temporarily disrupt electric supply to end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.

Although there may not be many examples of historical energy utility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.

Transportation Cyber Security

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP (gross domestic product), which includes monetary value of all goods and services produced within the United States. Over the past couple of years, the industry has grown in operational complexity with logistical chains, production, facility and manufacturing partners and plant management. As a result of this growth, it has become an even more alluring and accessible hacking playground for cybercriminals. There have been a few noteworthy attacks on this silo of infrastructure in the last few years:

  • Maersk: Petyamalware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecieairport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

 

You can see that attacks on these silos of industry have already begun (and show no signs of stopping) and we need to be prepared for what the future holds. To lessen the attack surface vulnerabilities and protect critical infrastructure against cyber threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.

Reducing Risk in Critical Infrastructure Cyber Security

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own IT and OT networks to be most effective. In fact, there are exercises within the cyber range platform that have players detect threats on a water treatment plant and in an oil and gas refinery. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in any critical infrastructure sector. Further, targeted training can be achieved from the library of battle room scenarios to work on specific skill sets like digital forensics, scripting and Linux.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kinds of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cyber security teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Humans are the last line of defense against today’s adversary, so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cyber security across these critical infrastructure sectors.

Photo by Ian Simmonds on Unsplash

Modernizing Cyber Ranges

Cyber ranges were initially developed for government entities looking to better train their workforce with new skills and techniques. Cyber ranges provide representations of actual networks, systems, and tools for novice and seasoned cyber professionals to safely train in virtual environments without compromising the safety and security of their own networks.

Today, cyber ranges are known to effectively train the cyber workforce across industries. As technology advances, ranges gain in their training scope and potential. The National Initiative for Cybersecurity Education reports cyber ranges provide:

  • Performance-based learning and assessment
  • A simulated environment where teams can work together to improve teamwork and team capabilities
  • Real-time feedback
  • Simulate on-the-job experience
  • An environment where new ideas can be tested and teams and work to solve complex cyber problems

In order to upskill cybersecurity professionals, commercial, academic, and government institutions have to gracefully fuse the technicalities of the field with the strategic thinking and problem-solving “soft skills” required to defeat sophisticated attacks. Cyber ranges can help do that.

Currently, cyber ranges come in two forms: Bare environments without pre-programmed content; or prescriptive content that may or may not be relevant to a user’s industry. Either form limits the learner’s ability to develop many skill sets, not just what their work role requires.

Six Components of Modern Cyber Ranges

Modern cyber ranges need realistic, industry-relevant content to help trainees practice offense and defense and governance activities in emulated networks. Further cyber ranges need to allow learners to use their own tools and emulated network traffic in order to expand the realism of the training exercise. By using tools in safe replicated networks, learners will have a better understanding of how to address a threat when the real-life scenario hits.

We also know that cybersecurity attacks require teams to combat them, not just one or two individuals. So, in addition to individual training, cyber ranges should also allow for team training and engagement for professionals to learn from one another and gain a bigger picture understanding of what it REALLY takes to stop evolving threats.

With advances in Artificial Intelligence (AI), we know cyber ranges can now support such technology. In the case of our own Project AresÒ, we are able to leverage AI and machine learning to gather user data and activity happening in the platform. As more users play Project Ares, patterns in the data reveal commonalities and anomalies of how missions are completed with minimal human intervention. Those patterns are used to inform the recommendations of an in-game advisor with “chat bot-esque” features available for users to contact if help is needed on a certain activity or level. Further, layering AI and machine learning gives cyber professionals better predictive capabilities and, according to Microsoft, even  “improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.”

With many studies touting the benefits of gamification in learning, it only makes sense that modern ranges come equipped with a gamified element. Project Ares has a series of mini-games, battle rooms, and missions that help engage users in task completion—all while learning new techniques and strategies for defeating modern-day attacks. The mini-games help explain cyber technical and/or operational fundamentals with the goal of providing fun and instructional ways to learn a new concept or stay current on perishable skills. The battle rooms are environments used for training and assessing an individual on a set of specific tasks based on current offensive and defensive tactics, techniques and procedures. The missions are used for training and assessing an individual or team on their practical application of knowledge, skills and abilities in order to solve a given cybersecurity problem set, each with its own unique set of mission orders, rules of engagement and objectives.

There is a lot of sensitive data that can be housed in a cyber range so security is the final piece to comprising a modern cyber range. The cloud is quickly recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure the cyber ranges are operating quickly with the latest updates and to increase visibility of how users are engaging in the cyber ranges across the company, security in the cloud is the latest and greatest approach for users training in test environments.

There you have it. The next generation cyber range should have:

  • Industry-relevant content
  • Emulated network capabilities
  • Single and multi-player engagement
  • AI and machine learning
  • Gamification
  • Cloud-compatibility

We are proud to have pioneered such a next generation cyber range manifest in many of our platforms including (as mentioned above), Project Ares®, and CyRaaSTM. We hope this post helped you understand the true potential of cyber ranges and how they are evolving today to automate and augment the cyber workforce.