What happens when there’s no more electricity? Food and essential medicines can no longer be cooled, life-supporting appliances in hospitals fail, the lights go out and the streets sink into chaos. A scenario that seems unimaginable. But the danger exists. Cyber-criminals are increasingly targeting vulnerable facilities that form the basis for the common good – critical infrastructures.

The president of the german Federal Office for Information Security Arne Schönbohm also sees operators of national water and power plants or, for example, the pharmaceutical industry increasing in the focus of professionalized cyber-attacks. Why? Manipulation of operating procedures in these economic sectors could put the population at risk. Protective measures for internal IT should have a high priority.

In the following, we will take a look at the critical infrastructures and give an outlook on the enormous consequences of a cyber-attack on these sensitive organizations.

A critical matter

Critical infrastructures include organizations or institutions that play an important role for the state community. They provide services or products that consumers and businesses depend on. These include facilities in energy sectors, IT and telecommunications, health, water, nutrition, transport, finance and insurance, government and administration, as well as media and culture.

Critical infrastructures are considered particularly sensitive regarding their IT infrastructure, which is why the government wants to protect them especially with the IT security law that came into force in July 2015. Operators must report faults in their IT systems and allow them to be checked regularly. The aforementioned sensitivity of the systems resulted from the fact that most of them were developed in the distant past. IT security aspects were not considered from the outset, but physical security aspects, such as the construction of highly complex fencing systems and the provision of security personnel, were initially pursued.

Another reason for this was the separation of IT systems from Internet access. However, digitization has not simply passed by. It has led to considerable changes in recent years. For example in modern industrial companies many machines, devices, and employees are now connected to the Internet. There are many advantages that arise within the networking, but there are also disadvantages that are significant: Critical infrastructures are thus even more vulnerable to cyber attacks.

Danger of a total Blackout

The extent of a cyber attack on critical infrastructures shows an unprecedented attack on Ukraine’s electricity grid in 2015. Hackers paralyzed the entire electricity supply. Households remained in the dark for hours, hospitals had to access emergency power generators. The hacker attack was allegedly carried out by state actors who sabotaged the country’s power supply with the help of the malware ‘Industroyer’. In 2017, a Saudi Arabian power plant fell victim to hackers. The aim of the attack was probably to destroy the plant.

The attack was discovered purely by chance. In this way, worse things could be prevented. According to media reports, the attack took place via a security system that is used worldwide in oil and gas power plants as well as in nuclear power plants – also in Germany. The Triton code used in the attack was published on the Internet shortly afterwards. This created the basis for further attacks by experienced hackers. According to their own statements, security researchers were able to locate another attack with the Triton code in April 2019. However, it remains unclear when the attack took place and which system was in focus. During their investigations, the researchers came to the conclusion that the attackers wanted to cause physical damage. This would also suggest that further operators of critical infrastructures were being targeted. For this reason, the researchers have made details of the detected malware public in order to support IT managers in detecting and preventing it.

Past events are worrying. But a good sign is the increasing awareness of IT security within critical infrastructures. For example disaster control has praised the growing IT security.

The worst case: cyber attack on operators of critical infrastructur

However, this does not mean that the topic is off the table for a long time, but rather that it is intended to sensitize people to the further establishment of security measures. What if this was the case? We are starting from the worst case scenario: A cyber attack turns the power off in Germany. According to Schönbohm, the network and energy supply is an attractive target for paralysing an entire country. According to this, extensive supply bottlenecks would arise in the event of a longer and larger power outage. This also raises concerns in the field of disaster control. Let us take a closer look at a possible attack scenario

The cyberkillchain

An attack extends over a total of seven steps, which are combined in a so-called Cyberkillchain. The concept of the attack chain has its orign in the military and was transferred to the IT sector.

An attack of a ransomware expires in the following steps:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on objective

Reconnaissance: Identification of the target

There are basically two types of attacks: targeted and mass attacks. Killchain is mainly about targeted attacks. First, the target is chosen. As much information as possible is collected to find out how the company is set up and if there are gaps that could be used for intrusion. In focus, are usually employees that share a lot of information about themselves: contact details, job titles, holiday plans and more. Once the right vulnerability has been found, the next step is taken.

Weaponization: Preparing the attack

The attacker selects a suitable tool depending on the desired goal and the planned procedure – if possible it should be perfidious. Often an encryption trojan is the best solution, which keeps itself covered at first and collects further information. Many of these codes are freely available in darknet.

Delivery: first steps to execute the attack

In this phase the criminal has to choose a distribution channel. The criminal can use a CD-ROM, an USB-stick, or the classic email. Particularly popular are phishing e-mails that either link to a malicious website or contain an infected document that the recipient is supposed to open. The advantage of the phishing method takes us directly to the next step.

Exploitation: Detection of security vulnerabilities

The lack of awareness of employees is a popular incidence vector. Keyword “social engineering”: Phishing, CEO fraud, or whaling are used to exploit the uncertainty and ignorance of employees to get into the system. But also open attack surfaces can lie in technology, such as unpatched security holes in programs used throughout the company.

Installation: Implementation of a backdoor

Logically, no pop-up will appear once the malware has been installed. The installation runs hidden and without the knowledge of the user. The malware nests and waits for its big moment.

Command & Control: Remote control of the target system

To keep control of the malware, the remote desktop protocol can be used for remote access. Remote control is essential to achieve the actual goal. It is now even possible to use artificial intelligence so that the malware can perform self-learning actions, such as reloading other malware or spying on personal data.

Actions on objective: Achievement of objectives

The great moment has come, and the attacker can make his action concrete after the complete infiltration of the system. In our case the power supply is switched off. It can take several years until the malware is executed or detected.

From the killchain it becomes clear that the prevention and defense against sophisticated cyber-attacks is only possible with special tools and a strong and regular sensitization of employees. These include services that can detect perfidious and complicated malware such as advanced persistent threats with special analysis engines, freezing and sandboxing.

The fact is, that cyber-attacks will continue to increase and protection measures must be taken at an early stage.

In summary, cyber-attacks on critical infrastructures can pose a threat to national security. An attack on the energy network or the water supply can have consequences that could not only result in financial losses, but could also completely change life as we know it.