What happens when there’s no more electricity? Food and essential medicines can no longer be cooled, life-supporting appliances in hospitals fail, the lights go out and the streets sink into chaos. It’s a scenario that seems unimaginable, but the danger exists. Cybercriminals are increasingly targeting vulnerable facilities that form the basis for the common good – critical infrastructure.

The president of the german Federal Office for Information Security, Arne Schönbohm, also sees operators of national water and power plants, or for example, the pharmaceutical industry increasingly becoming the focus of professional cyberattacks. Why? Manipulation of operating procedures in these economic sectors could put the population at risk. Protective measures for internal IT should have a high priority.

Let’s take a look at the critical infrastructure that’s vulnerable and the enormous consequences of a cyberattack on these sensitive organizations.

A critical matter

Critical infrastructure includes organizations or institutions that play an important role for the state community. They provide services or products that consumers and businesses depend on. These include facilities in energy sectors, IT and telecommunications, health, water, nutrition, transport, finance and insurance, government and administration, as well as media and culture.

Critical infrastructure is considered especially sensitive when it comes to their IT infrastructure, which is why the government wants to protect them in particular with the IT security law that came into force in July 2015. Operators must report faults in their IT systems and allow them to be checked regularly. The aforementioned sensitivity of the systems results from the fact that most of them were developed in the distant past. IT security aspects were not considered from the outset, but physical security aspects, such as the construction of highly complex fencing systems and the provision of security personnel, were initially pursued.

Another reason for this was the separation of IT systems from Internet access. However, digitization has led to considerable changes in recent years. For example, in modern industrial companies, many machines, devices and employees are now connected to the Internet. There are many advantages that arise from such networking, but there are also disadvantages that are significant: Critical infrastructure is thus even more vulnerable to cyberattacks.

Danger of a total blackout

An unprecedented attack on Ukraine’s electricity grid in 2015 shows the extent of damage a cyberattack on critical infrastructure can cause. Hackers paralyzed the entire electric supply. Households remained in the dark for hours, hospitals had to use emergency power generators. The attack was allegedly carried out by state actors who sabotaged the country’s power supply with the help of the malware ‘Industroyer’. 

In 2017, a Saudi Arabian power plant fell victim to hackers. The aim of the attack was probably to destroy the plant. It was discovered purely by chance, which allowed worse things to be prevented. According to media reports, the attack came through a security system that is used worldwide in oil, gas and nuclear power plants – including in Germany. The Triton code used in the attack was published on the Internet shortly afterward. This created the basis for further attacks by experienced hackers. According to their own statements, security researchers were able to locate another attack with the Triton code in April 2019. However, it remains unclear when the attack took place and which system was targeted. During their investigations, researchers came to the conclusion that the attackers wanted to cause physical damage. This would suggest that other operators of critical infrastructure were being targeted. For this reason, the researchers have made details of the detected malware public in order to support IT managers in detecting and preventing it.

Past events are worrying. But the increasing awareness of IT security within critical infrastructures is a good sign. For example, disaster control has praised improvements in IT security.

The worst case: cyber attack on operators of critical infrastructure

However, this does not mean that the topic should be off the table for long, but rather that it should sensitize people to the need for the further establishment of security measures. Let’s consider a worst-case scenario: A cyberattack turns the power off in Germany. According to Schönbohm, the network and energy supply is an attractive target for paralyzing an entire country. In this case, extensive supply bottlenecks would arise as a result of a longer and larger power outage. This also raises concerns in the field of disaster control. Let us take a closer look at a possible attack scenario.

The cyberkillchain

An attack extends over a total of seven steps, which are combined in a so-called Cyberkillchain. The concept of the attack chain has its origin in the military and was transferred to the IT sector.

An attack of a ransomware unfolds with the following steps:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & control
  7. Actions on objective

Reconnaissance: Identification of the target

There are basically two types of attacks: targeted and mass attacks. Killchain is mainly about targeted attacks. First, the target is chosen. As much information as possible is collected to find out how the company is set up and if there are gaps that could be used for intrusion. Attacker usually focus on employees that share a lot of information about themselves: contact details, job titles, holiday plans and more. Once the right vulnerability has been found, the next step is taken.

Weaponization: Preparing the attack

The attacker selects a suitable tool depending on the desired goal and the planned procedure – if possible, it should be stealthy. Often an encryption trojan is the best solution, which keeps itself covered at first and collects further information. Many of these codes are freely available on the darknet.

Delivery: First steps to execute the attack

In this phase, the criminal has to choose a distribution channel. The criminal can use a CD-ROM, a USB stick or the classic email. Particularly popular are phishing e-mails that either link to a malicious website or contain an infected document the recipient is supposed to open. A successful delivery takes us directly to the next step.

Exploitation: Detection of security vulnerabilities

The lack of awareness among employees is a popular incidence vector. Social engineering, phishing, CEO fraud or whaling exploit the uncertainty and ignorance of employees to get attackers into the system. But open attack surfaces can also lie in technology, such as unpatched security holes in programs used throughout the company.

Installation: Implementation of a backdoor

For obvious reasons, no pop-up will appear once the malware has been installed. The installation runs hidden and without the knowledge of the user. The malware nests and waits for its big moment.

Command & Control: Remote control of the target system

To keep control of the malware, the remote desktop protocol can be used for remote access. Remote control is essential to achieve the actual goal. It is now even possible to use artificial intelligence so the malware can perform self-learning actions, such as reloading other malware or spying on personal data.

Actions on objective: Achievement of objectives

The big moment has come, and the attacker can make his attack concrete after successfully achieving the complete infiltration of the system. In our case, the power supply is switched off. It can be several years before the malware is executed or detected.

From the killchain, it becomes clear that prevention and defense against sophisticated cyberattacks is only possible with special tools and an effective, regular sensitization of employees. These include services that can detect stealthy and complicated malware, such as advanced persistent threats with special analysis engines, freezing and sandboxing.

Unfortunately, cyberattacks will continue to increase, and protection measures must be taken at an early stage.

In summary, cyberattacks on critical infrastructure can pose a threat to national security. An attack on the energy network or the water supply can have consequences that could not only result in financial losses but could also completely change life as we know it.