How Organisations Can Prepare For Attacks On Critical Infrastructure

Western societies and their critical infrastructures are increasingly being targeted, surveilled and attacked by foreign state-backed adversaries. As noted in the Wall Street Journal, in one month, a single state-linked firm hacked 260,000 internet-connected devices in the U.S., France, the U.K. and elsewhere. National defense resources are being overwhelmed.

The Wall Street Journal also reports, “China-backed hackers outnumber all of the FBI’s cyber personnel at least 50 to 1, according to the U.S. agency.” Other foreign-based adversaries are also targeting critical infrastructure. Apparently, some hackers assume residence in these infrastructures for months.

Why do nation-state attackers target critical infrastructure?

Critical infrastructure is the very foundation that governs the economic stability of a nation and the safety of its citizens. Attacks on transportation can cause food shortages; attacks on water treatment plants can lead to toxic poisoning; attacks on power grids can cause widespread panic. Because infrastructure organizations have limited tolerance for downtime, threat actors gain leverage, especially in ransomware cases.

How is critical infrastructure being infiltrated?

Nation-state actors follow a set of tactics, techniques and procedures (TTPs) when attacking infrastructure. First and foremost, they gain initial access. Next, they conduct lateral movements, research the compromised environment and acquire account credentials that have privileged access. Firmly inside, they deploy beacons that can make outbound connections to command-and-control servers. Threat actors may lie dormant and conduct espionage or initiate data exfiltration or the encryption of systems.

Initial access is the root cause. Per a recent CISA finding, nearly 90% of initial access is gained via identity compromise. Identity compromise includes two things: valid accounts (such as former employee accounts or default administrator credentials) and malware-laced phishing emails targeting employees.

Other causes include things such as malware file attachments, exploitation of external remote services (RDPs, VPNs, VNC) and so-called drive-by compromise, which involve vulnerabilities in a user’s web browser when visiting legitimate websites that have been injected with malicious code. Threat actors seem equipped with unlimited weapons, given the many vulnerabilities found in internet-facing hosts and applications.

What can critical infrastructure organizations do to prevent infiltration?

Depending on the industry and which best aligns with business objectives, the cybersecurity industry is not short on risk management frameworks that can provide guidance. These include NIST, ISO 27001 and ISO 27002, CIS Controls, MITRE ATT&CK, Cloud Controls Matrix and my organization’s Standard of Good Practice (SOGP). Each of these frameworks has its own set of benefits and can be combined and custom-fitted for specific requirements.

Understanding how threat actors succeed, their TTPs and methods offer a way forward when comprising a shortlist of best practices organizations can follow to thwart initial access and limit threat exposure.

1. Change default passwords.

Many critical infrastructure assets (websites, interfaces, IoT devices) still retain default passwords, which enable attackers to gain access to valid accounts. Deploy compensating controls like stricter monitoring and segmentation, where changing default passwords by unauthorized personnel is not allowed.

2. Segregate user and privileged accounts.

No user account should have continuous access or super-user privileges. Even administrators should maintain a separate user account for all activities and actions associated with their job roles (e.g., emails and internet surfing activities). Privilege access and accounts should be evaluated on a recurring basis to assess the continued need for such permissions.

3. Revoke access of departed employees.

Disable user access to all company resources for former employees. (This seems obvious, but it’s often and easily missed.) Ensure that physical badges and key cards are returned. Ensure that exploitable services such as remote desktop sharing are not vulnerable to exploitation.

4. Use phishing-resistant multifactor authentication.

Use hardware-based, phishing-resistant multifactor authentication (MFA) like FIDO2 Web Authentication or public key infrastructure standards. WebAuthn is a web-based API that enables websites to enhance their login pages with FIDO-based authentication on supported browsers and platforms, allowing users to utilize common devices for secure authentication to online services on mobile and desktop platforms. If hardware-based is unavailable, then consider mobile-app-based soft tokens that support push notifications with number matching.

5. Enforce MFA across all assets.

Require MFA for IT users to access organizational resources, giving priority to high-risk accounts like privileged administrator accounts. In operational technology (OT) environments, ensure that MFA is enabled for all remotely accessible accounts and systems.

6. Mandate security awareness training.

Use phishing simulation systems to boost cybersecurity instincts and instill positive cybersecurity behaviors. Train users on both IT and OT scenarios like detecting unusual login attempts and denying MFA requests they have not generated. Educate users on the importance of security best practices, such as avoiding password reuse, using complex passwords and reporting phishing incidents.

I think preventing initial access and infiltration by malicious actors must be every organization’s priority. Implementing industry-standard cybersecurity frameworks, utilizing phishing-resistant MFA, monitoring privileged access and restricting exploitable services are only a few practical measures for critical infrastructure organizations to prevent infiltration by nation-states.