Cyberattacks targeting critical national infrastructure are on the rise and the industrial cybersecurity community is being forced to pay closer attention as cyber adversaries more aggressively target critical industries such as dams, factories, and power utilities.
Industrial infrastructure is fundamental to our modern lives. While we don’t think too much about power plants or manufacturers continuously operating, when they are forced to shut down due to a cyberattack, it can cause significant crises – as we saw with the Colonial Pipeline breach in the US last year. While many companies are mandated to protect financial and technical institutions, Dragos focuses on providing cybersecurity solutions for asset owners managing the industrial control systems (ICS) and operational technology (OT) that keep these critical industries online.
Why does Dragos focus on ICS/OT security?
Cyberattacks targeting tech companies or financial institutions primarily are driven by money. But cyberattacks targeting critical industries such as power, oil and gas, mining, pharmaceuticals, or food production can be motivated by other more disruptive or destructive intents.
“Many threat groups target industrial sites worldwide, whether they are state actors, criminals, or whomever,” says Dragos CEO and co-founder Robert M. Lee. “Sometimes they leverage ransomware in order to ransom a power plant or other industrial infrastructure to get money, for example. Sometimes they get access to intellectual property, such as manufacturing methods and how the industrial process is designed. Sometimes, they are prepositioning for a future cyber event.”
Dragos has been active in helping resolve or intercept several major infrastructure breaches in recent years. Consider the 2015 cyberattacks on Ukraine energy distribution companies that temporarily disrupted the electricity supply to consumers. Or, the 2017 cyberattacks on Saudi Arabia, when hackers compromised a safety system and tried to kill people in the petrochemical facility.
State groups are the most dangerous
As the world becomes increasingly connected and reliant on digital systems, targeting these technologies is an effective way to conduct a cyberattack today. Many governments have moved their military efforts to cyber space as a new offensive method. As a result, in recent years we have seen the emergence of some of the most dangerous cyber adversaries.
These groups include the Lazarus Group, responsible for the WannaCry attacks that made ransomware widely known and one of the most important modern cyberthreats. Also, the threat group Fancy Bear leaked highly sensitive information about US politicians in 2016 and attacked anti-drug organisations in 2019. Among the most famous is the threat group Cozy Bear, which is believed to be behind the SolarWinds attacks, one of the most significant supply chain attacks so far.
According to Lee, Dragos is currently tracking 15 threat groups targeting industrial infrastructure. Of these groups, one has succeeded in breaking into a company that provides services to several energy sites. This group is now prepositioned in these power sites in a couple of different countries and at locations that could be leveraged to achieve the most disruptive or destructive effects. When state actors are getting into a position to potentially disrupt critical systems where power outages and fuel supply issues are the outcomes, we must be concerned.
The invisible is more dangerous than the known threats
While Dragos monitors and tracks the work of several state threat groups, it is the threat groups that we don’t know about yet that are the most dangerous. Of the 15 groups tracked by Dragos, they predict a small number will be enormously disruptive in future years, but the significant danger will come from threat groups not yet known or from hidden parts of known threat groups activity.
Tracking well-known groups remains a not-so-adequate protection approach today, especially in the industrial areas targeted by adversaries more dangerous than their past counterparts. Absolute protection requires a continuous assessment of the systems and their vulnerabilities. Rather than being reactive like many companies, it is essential to move to precaution and pre-screening to prevent breaches from succeeding in the first place.
Read: Cybersecurity firm Dragos announces opening of Dubai office