Critical infrastructure is more vulnerable than ever—your industry could be a prime target - Lacework

Critical infrastructure is more vulnerable than ever—your industry could be a prime target

Allie Fick, Security Reporter

September 6, 2022

More flexibility and visibility with agentless coverage for workloadsWhile cybercriminals have gained much notoriety over the past two decades, their goals and tactics remain mostly the same. One of the only major changes in cybercriminal operations is who their victims are—today, instead of targeting individuals, they’re targeting critical infrastructure. So, why did this shift occur, and which types of critical infrastructure are most at risk? To determine which sector is most vulnerable to an attack, it’s important to understand exactly what critical infrastructure is and what it means for something to be vulnerable. 

Critical infrastructure is the foundation of our economy, security, and health 

Infrastructure is the underlying foundation or framework of a system or organization while critical infrastructure is the physical and virtual assets, systems, and networks that are essential to society. Destroying these assets could debilitate national security, the economy, or public health and safety. 

Critical infrastructure is organized into 16 different sectors. Sectors are groupings based on similarities in function and form. If critical infrastructure was destroyed or impaired, it could cause mass casualties or weaken the economy. That’s why it is a prime target for attackers and why it must be protected. 

What is a vulnerability? 

In cybersecurity, vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that an attacker could exploit. Vulnerabilities can be software bugs, misconfigurations, or any other flaws that cybercriminals can take advantage of. 

When it comes to critical infrastructure, a vulnerability is a weakness in the assets and systems that are essential to how our society functions. If an attacker exploits a vulnerability in critical infrastructure, it can be very dangerous. 

When cyber threats became physical

The world wasn’t so concerned about cyber warfare and vulnerabilities in critical infrastructure until the first cyber weapon, Stuxnut, was uncovered in 2010. Stuxnet is a computer worm that was used to attack a nuclear power plant in Iran. The malware infected the industrial control systems that were used to operate the plant, which then caused some of the machinery to spin too quickly and severely damage and destroy itself. 

For the first time, malware was used to cause physical damage. After Stuxnet it became clear that hackers could take advantage of vulnerabilities in critical infrastructure; in this case, the target was a nuclear facility in Iran, but this attack showed that any infrastructure around the world could be susceptible to physical damage from cyber attacks. 

Today, almost all critical infrastructure sectors are at risk

Stuxnet showed that taking advantage of minor flaws in a system could cause major damage. While the malware was likely created by governments, hackers took note of their ideas and techniques. “Criminals were starting to learn from governments instead of the other way around,” Kim Zetter, investigative journalist and author, said in her Black Hat keynote speech earlier this month.   

If it was possible to take over nuclear facilities, what was stopping cybercriminals from using the same techniques to hack into other critical infrastructure like water treatment plants, transportation systems, or food manufacturing facilities?

Last year, ransomware incidents were observed in 14 out of the 16 U.S. critical infrastructure sectors, and cybersecurity authorities in the U.S., Australia, and the United Kingdom identified an increase in ransomware attacks against critical infrastructure worldwide. 

In January 2021, a cybercriminal hacked into a Florida water treatment plant’s computer system and raised the levels of sodium hydroxide—a chemical used in liquid drain cleaners—in the drinking water supply. The hackers likely gained access because the plant was using an outdated operating system and used weak password security. Operators noticed the change before the water reached customers, but had they not mitigated the problem, this hack could have been deadly. 

A few months later, cybercriminals hacked into Colonial Pipeline’s system using an employee’s password that had been reused on other networks. The 5,500-mile pipeline stretching from Texas to New Jersey was shut down for five days. Colonial Pipeline paid a nearly $5 million ransom to the hackers in exchange for information to restore their computer network—however, the nearly week-long shutdown caused a fuel shortage on the East Coast that was worsened by consumers panic-buying gas. 

While the transportation industry falls victim to ransomware attacks that disrupt operations so hackers can profit, they also are faced with other threats that could damage transit operations such as geolocation data disruptions, sensor disruptions, and cyber hijacking. 

Hackers breached the Metropolitan Transportation Authority (MTA) in New York City in April 2021. While they weren’t able to access the systems that operate the trains, officials were concerned because they potentially could have. The hackers took advantage of vulnerabilities in a remote network access tool used by MTA. 

Public transit systems are also experiencing more cyber attacks. “It is increasingly difficult to name a transit provider that has not faced a data breach or other disruptive cyber incident,” the Mineta Transportation Institute wrote in a July 2022 report. 

Even the food and agricultural sector remains vulnerable to attacks. JBS, the world’s largest meat processing company, paid  $11 million dollars to stop a ransomware attack last year. 

Which is most vulnerable? 

The Cybersecurity & Infrastructure Security Agency (CISA) is researching which critical infrastructure sector might be most vulnerable and have the most impact on the U.S. national security and economy.  

According to industrial cybersecurity company Dragos, the manufacturing sector is currently the most frequently targeted sector by far. 75 percent of ransomware attacks observed by Dragos in Q1 of 2022 targeted manufacturing —the second-most targeted sector was food and beverage at 6 percent. IBM Security came to a similar conclusion in their X-Force Threat Intelligence Index 2022.  Based on the attacks that they remediated in 2021, manufacturing was the top attacked industry in North America, Europe, and Latin America. Vulnerability exploitation was the top infection vector, meaning it was the most popular method used to enter a network. 

Why is manufacturing targeted so much more than other industries? 

Lacework Cloud Security Researcher Greg Foss says that while other industries could have significantly more detrimental impacts from attacks, hackers also might be focusing their efforts on manufacturing simply because it’s easier to get what they want. 

“If they only aim to make money, then manufacturing may be the best bang for their buck if they’re looking for somewhere to deploy ransomware,” Greg said. 

IBM Security has a similar theory—they suggested that manufacturing is targeted because the key role it holds in the global supply chain and their low tolerance for interruptions puts more pressure on the victims to pay a ransom quickly. This could have been increased by strains placed on the industry due to COVID-19 manufacturing delays, making it an easy and rewarding method for attackers.

According to Deloitte, many manufacturing systems were created before people began focusing on security, and manufacturing technology traditionally prioritizes performance and safety over security. This leads to huge security gaps for attackers to take advantage of. 

What’s next? 

Cybercriminals will continue to take advantage of vulnerabilities; however, understanding what they’re looking for and which industries are at risk can help you protect yourself and your organization. While all critical infrastructure sectors are at risk, some security researchers believe the manufacturing industry is currently the most vulnerable—likely because it’s an accessible and profitable target. As CISA continues their research to officially determine which sector is most vulnerable, they have provided several tools to help you assess your environment and identify the risks that are most likely to affect you.  

To learn more about vulnerability management, read our vulnerability white paper and check out Lacework’s blog for our latest insights.