Could we run out of electricity or water? This is what cyber-attacks against critical infrastructures look like
Table of Contents
Cyber-attacks against critical infrastructures have become one of today’s significant threats because of their severe economic and social consequences
At Christmas 2015, thousands of Ukrainians were left without power. An advanced persistent threat (APT) group linked to the Russian state used the BlackEnergy malware to attack three power companies and cause blackouts in the country’s western regions. Almost 10 years after this incident, cyber-attacks against critical infrastructure have become a significant threat to Western democracies and companies operating in the electricity and water supply sectors.
For example, in recent months, a cyber-attack left a region in Ireland without water for two days, and in another security incident, hostile actors managed to compromise the industrial control system (ICS) of a water station in Pennsylvania (USA). Both cyber-attacks on critical infrastructure were the work of Cyber Av3ngers. This Iranian-funded cyber-criminal group claims to have attacked a dozen Israeli water treatment stations, although there is no evidence that they were able to affect any system.
In addition, Sandworm, a cybercrime unit associated with Russian intelligence, has caused multiple power outages in Ukraine since the beginning of the Russian invasion.
These recent cases show that cyber-attacks against critical infrastructures are used to undermine the functioning of Western states by nations such as Iran, Russia, North Korea or China and as a weapon in military conflicts (Russia-Ukraine; Israel-Hamas).
For this reason, public authorities in the United States, the United Kingdom and the European Union have alerted energy and water treatment and supply companies to the need for advanced cybersecurity services to improve their resilience against cyber-attacks on critical infrastructure.
ICS and IIoT devices: Critical elements of enterprise cybersecurity
Industrial control systems (ICS) have revolutionized industries around the world because they allow them to increase their productivity and profitability and control all industrial processes. We must add robotization, expand smart devices in companies that develop industrial activities, and incorporate IoT devices such as bright lights or water meters.
While the economic and productive advantages of ICS are obvious, it is also easy to see that increasing companies’ technological infrastructure leads to increasing their cyber exposure.
ICS allows companies that produce and/or distribute electricity to regulate the supply of energy, and water suppliers can regulate pressure, manage reserves, monitor the state of the water or control its distribution.
Therefore, cyber-attacks against critical infrastructures seek to undermine, manipulate, and even disrupt the operation of ICS systems. Some attacks may also aim to steal industrial property and obtain confidential information about the operation of an ICS.
The importance of increasing the security measures that protect ICS has resulted in the MITRE ATT&CK framework, a global standard for understanding malicious actors’ tactics, techniques and procedures (TTPs), having a specific matrix for ICS systems, and in regulatory frameworks for industry such as the Cyber Resilience Act or NIS2 in Europe.
Supply chain in the eye of the storm
As is evident, many companies that employ ICSs do not develop them but own systems developed by companies that specialize in this type of advanced technology.
For example, in the security incident involving a Pennsylvania water company, the Iranian criminal group targeted a programmable logic controller (PLC) used by the company but developed by the Israeli company Unitronics. Thus, the attack was not only aimed at damaging a company and the citizens of an area of the United States but also the reputation of a notable Israeli company in a context of confrontation between Iran and Israel.
The software supply chain has also been central to one of the latest cyber-attacks against companies in critical sectors. In mid-April 2024, the Cybersecurity & Infrastructure Security Agency (CISA) announced that it was working on a response to a security incident that affected Sisense. This company provides data analytics services to companies operating critical infrastructure.
Also, last year, it was made public that a North Korean criminal group launched a supply chain attack by altering legitimate software (X_Trader) into a Trojan and infecting several companies, including two energy companies in the United States and Europe.
And the latest supply chain attacks on Snowflake or Cyclogreen only exacerbate this trend.
Ransomware attacks on energy and water companies
Beyond cyber-attacks against critical infrastructure, power generation and distribution companies and companies that manage drinking water and wastewater have to deal with one of the biggest threats of this era: ransomware attacks.
Earlier this year, British water company Southern Water suffered a data breach as a result of a ransomware attack.
Through this incident suffered by a company with 5 million customers, the Black Basta ransomware group claims to have stolen 750 gigabytes of documents including personal data and sensitive corporate information.
This stolen data can be traded on the Dark Web or used to launch future attacks against the company’s customers, as well as against its professionals, to gain access to systems that control critical infrastructures. This is why ransomware attacks can pose a significant risk to companies operating in susceptible sectors.
The consequences of cyber-attacks against critical infrastructures
Depending on the level of severity, the systems affected, and the duration of the incidents, cyber-attacks against critical infrastructures can affect energy and water companies, as well as companies developing software and industrial devices, in different ways. Ultimately, these companies, citizens and public administrations depend on electricity and water supply to be able to work and live.
Economic and reputational damage to companies
With fears growing that cyber-attacks against critical infrastructure are spreading, Moody’s, one of the world’s leading credit agencies, has warned of the consequences of such incidents on the solvency of water supply companies.
Cyber-attacks against critical infrastructures can generate incalculable economic losses for companies if their services are interrupted. In addition, reputational damage can be irreparable and undermine a company’s position in the marketplace.
If cyber-attacks not only paralyze the activities of companies, but also destroy essential infrastructure, they can even lead to the disappearance of organizations.
Threaten the business continuity of the entire productive fabric
Precisely, cyber-attacks against critical infrastructures directly threaten companies’ business continuity.
Protecting business continuity is essential for any company, but it is even more important for energy or water treatment and supply companies. Why is that? If the distribution of energy or water is affected, the business continuity of their customers is at risk. Today, virtually no business can operate without electricity, and water is essential for sectors such as food.
Negative impact on people’s health and safety
In worst-case scenarios, cyber-attacks against critical infrastructure can directly harm people’s health and well-being:
- Company workers who suffer injuries due to the incorrect functioning of the technological equipment attacked.
- Patients in hospitals and medical centers who become inoperative as a result of power outages.
- Citizens who consume contaminated water as a result of an attack.
These three examples show how damaging cyber-attacks can be against critical infrastructures such as electricity or water networks.
The NIS2 directive: Improving the resilience of critical sectors
We noted earlier that public institutions have alerted companies to the risks of cyber-attacks against critical infrastructures, but the European Union has gone a step further.
The NIS directive and its update, the NIS2 directive, establish cybersecurity requirements for companies in critical sectors. These sectors include:
- Water supply.
- Energy.
- Digital service providers.
- Wastewater.
The NIS2 directive, approved at the beginning of 2023, must be transposed into the internal legislation of the member states during this year to begin to take effect in 2025, including the penalty regime for non-compliance.
The regulation establishes that companies operating in these sectors must optimize cybersecurity risk management, which includes concrete measures such as:
- Protecting business continuity.
- Strengthening supply chain security.
- Conduct security audits and penetration testing.
- Notifying the authorities of incidents within 24 hours.
Companies that fail to comply with these obligations will face administrative sanctions of up to 10 million euros or 2% of the offending company’s global turnover, although the states must configure the sanctioning model based on these references.
Hostile actors supported by states
Beyond the seriousness of the consequences of cyber-attacks against critical infrastructures, we must consider another vitally important element: the criminal groups behind this type of threat.
As we have been able to see throughout the examples we have listed in this article, the hostile actors carrying out cyber-attacks against critical infrastructures are groups that:
- Launch targeted attacks against specific companies, systems and infrastructures.
- They have the resources and expertise to develop advanced persistent threats because states support them.
- Their objectives are not purely economic; in many cases, their mission is geo-strategic, and they seek to damage companies, institutions and citizens of the states they target: European countries, the United States, the United Kingdom, Israel, Canada, Australia…
- Their highly sophisticated tactics, techniques and procedures make prevention, detection and response difficult.
How to protect against cyber-attacks on critical infrastructure
To combat these hostile actors, energy and water companies, as well as companies that develop industrial software and devices, can:
- Securely develop software and devices from design and throughout their lifecycle. To do so, it is essential to perform source code audits, list software components, analyze libraries, and evaluate software to detect and mitigate vulnerabilities.
- Continuous monitoring of the supply chain is necessary to identify possible vulnerabilities that can be exploited against critical infrastructures. Security incidents and breaches linked to these organizations are also monitored. Threat Intelligence services play a key role in this regard.
- Threat Hunting and Red Team services improve resilience against APTs by detecting criminal groups’ TTPs to anticipate them and designing specific Red Team scenarios to measure the ability to withstand advanced persistent threats and protect the operation of ICS systems that control the electricity or water supply. These services are essential to improving companies’ defensive capabilities.
- Proactive incident response service to respond attacks, expel malicious actors quickly, safeguard business continuity and protect critical infrastructures.
Resilience in the face of APT
Ultimately, the power grid, drinking water supply and wastewater management are critical infrastructures for any country’s functioning. Without them, the productive fabric comes to a standstill, and people’s well-being is significantly affected.
For this reason, cyber-attacks against critical infrastructures have become a threat of the first magnitude. Even more so in recent months, as a result of the Russian invasion of Ukraine and the growing tension in the Middle East following the outbreak of the conflict between Israel and Hamas.
To prevent these kinds of security incidents and, should they occur, to prevent them from affecting power and water supply, companies must design robust cybersecurity strategies that enable them to withstand advanced persistent threats.