Society-critical infrastructure very vulnerable to cyber attacks

Ukraine is fortunate that its power supply systems are not based on the latest technology. When a utility in the west of the country was hit by a ‘spear-phishing’ cyber attack that blacked out 80,000 customers in December, power was quickly restored manually, an option that may not be available on more sophisticated and digitised energy plants.

Ominously, the Ukraine attack heralds a new era of cyber invasions as criminals, activists and perhaps even enemy agents take on bigger challenges. These could include anything from central banks to stock exchanges, along with vital infrastructure such as hospitals. That’s the view of Eugene Kaspersky, founder of the biggest privately owned cyber protection laboratory: “Most professional cyber criminals are looking for new types of victims – stock exchanges, for example,” he said in a recent interview.

State involvement

Disturbingly, a growing percentage of cyber attacks against companies may be state-sponsored. Though experts say it’s almost impossible to quantify precisely how much ‘cyber intrusion’ is government-mandated, there are strong suspicions that China, Russia, Iran and Turkey are involved to greater or lesser degrees – and that some of these attacks are directed at commercial targets.

“Toxic malware has been created in Iran and sold around the world,” says Stuart Poole-Robb, chief executive of London-based KCS Group, a consultant in strategic intelligence and corporate security. “And in China there are criminal gangs at work with the involvement of state actors.”

Their motivation may be nothing more than sabotage. As Kaspersky points out: “There are a growing number of attacks where the motive is to paralyse a system rather than gain financially.”

But whatever the reason, Europe has jumped higher on the hackers’ agenda. In the past few months, France and Germany have made the list of the top 10 most-hacked countries.

Black Energy

The techniques of cyber invasions are improving all the time. Based on so-called Black Energy malware, the spear-phishing that knocked out the utility in Ukraine, for example, exploits human behaviour by sending an email that purports to come from an employee, often at senior level. Once opened, the message opens up the system to hostile software.

Cyber invaders often have help from within. As Poole-Robb explains, security and even cleaning staff are being persuaded to deliver vital information to cyber criminals that they use to mount an attack. “It gets them through the doors and windows,” he says. “These people feed the hackers. Cyber attacks are not just computer-to-computer events.”

Vulnerable infrastructure

The most recent escalation in cyber crime pretty much tracks the predictions made by experts such as Dr Marco Gercke, director of the Cybercrime Research Institute in Cologne and an adviser to the European Commission and United Nations, among others. Warning that the development of the information society brings with it “new and serious threats”, three years ago he highlighted the vulnerability of society-critical infrastructure such as water and electricity, traffic control, lifts in buildings, air conditioning and telephony.

“Attacks against infrastructure and internet services now have the potential to harm society in new and critical ways,” he said. Recently, hospitals and clinics, sea ports, oil refineries and steel plants have been hit, as hackers invade what are known collectively as industrial control systems that are digitally dependent. Production lines are a frequent target.

“The world is not ready for cyber attacks on critical infrastructure, “ says Kaspersky. “Governments are not ready, law enforcement isn’t ready, the facilities themselves are not ready, and the people who design, build and operate them are often the least ready of all. Unfortunately, the criminals are very ready.”

That view is backed up by Charles White, founder and chief executive of information risk management organisation IRM, who warns bluntly: “At the moment it’s child’s play to hack into most publicly listed companies.”

When called in by worried companies, IRM routinely finds that customer and employee data – plus other intellectual property fundamental to the survival of the firm – remain highly vulnerable to cyber hackers. Typically, sensitive information is contained in outsourced activities such as payroll services, over which the company has little oversight.

Too arrogant

In managing cyber danger, risk managers are in the front line. “[They] work hand-in-hand with IT and the operational units [and] play a key role in the quantification of cyber risk, including through the use of scenario-based evaluations,” says Jo Willaert, president of the Federation of European Risk Management, in the organisation’s latest newsletter.

“For risk managers, the overriding imperatives are the maintenance of public trust, the security of the whole supply chain and the continuity of the business.”

With risk managers in the vanguard, many companies have improved their resilience. As Gercke notes, even if they remain vulnerable to attacks, “they’re getting better at dealing with them and they are recovering faster”.

But don’t leave everything to the IT guy, warn experts. “IT departments can be too arrogant,” argues Poole-Robb. “They have to accept that there are limitations to the protection they can provide. There are so many different aspects to cyber crime.”

As IRM’s White points out, this is because today’s businesses are overwhelmingly online and vulnerable. “Cyber security is usually bumped into IT, but it is absolutely not an issue for the IT department,” he says. “These days, the entire business is digital.”

Other consultants tell a similar story. “The first mistake that organisations make is to assume this is just an IT issue – it’s not,” says Andrew Rogoyski, vice president of cyber security services at information technology specialist CGI, in a statement.

“It is a very significant business risk and needs to be dealt with at senior leadership level.

“Many senior leaders simply don’t understand that their businesses have become digital in nature, dependent on IT systems, the internet and the use of what is quite often sensitive personal data.”

The good news is that businesses can make their perimeters much more secure, albeit at a price. A FTSE 500 company, for example, will have to budget £15m to £25m to retrofit cyber security that meets recognised standards. And the job could take up to three years.