On Friday, 7th May, Colonial Pipeline suspended operations after a major ransomware attack on the company’s computer systems. While the major East Coast pipeline has lurched back to life, the attack is yet another stark reminder of not only the increased threat of ransomware attacks, but also the vulnerabilities that riddle critical infrastructure internationally.
Over the last 10 to 15 years, critical infrastructure has become increasingly connected to the internet: highly connected hospitals, water and energy systems powered by intelligent sensors, government operations with deep roots in data and many more. This obviously has its benefits: most importantly the ability to be operated remotely. However, this connectivity also means the systems we rely on for our health, power, and national security are susceptible to cyber threats. And in this regard, the Colonial Pipeline attack should serve as a wake-up call to those out there that yet needed one, as well as a reminder to those of us who were already aware of the threat.
All eyes have been on the UK’s critical national infrastructure, and particularly the NHS, since the pandemic began. Defending it is at the heart of the new Integrated Review of the UK’s foreign, defence, security and development policy, which seeks to ensure that those in control of Critical National Infrastructure have the knowledge, strategy and security to combat threat actors bent on bringing it down. But the infancy of this initiative means that some industries are still in the dark regarding the urgency of the threat and how to defend against it.
Aging critical infrastructure around the globe has long been ripe for attack. Last year, the UK’s National Cyber Security Centre (NCSC) issued a joint warning alongside the US released a joint alert warning of Russian attacks on millions of routers, firewalls and devices used by infrastructure operators and government agencies.
However what makes this situation more perilous is the fact that the Colonial Pipeline shut down was caused by what appears to have been a private party. Typically, cyber warfare tactics such as targeting infrastructure was the realm of nation state actors. An act of aggression not unlike previous ‘pre-internet’ tactics, and one which would ultimately be traceable to the perpetrator.
The next wave of cyber adversaries, and how to protect against them
This situation punctuates an upward trend in the number of private parties targeting public infrastructure in ransomware attacks. These attacks, which hold information or systems hostage until a sum of money is paid, are growing in complexity, sophistication and frequency globally. In the UK, ransomware attacks surged 80% in just three months following the start of the pandemic.
While it was only a matter of time until ‘outsourcing’ came to the cyber crime business, the success of Ransomware-as-a-Service (RaaS) providers against infrastructure targets is sure to spur imitators and competition. The newfound ability for individuals to seriously impact critical supplies for personal profit is certainly troubling and opens our aging infrastructure to an even wider pool of threats.
However, the rise in skills of these cyber mercenary groups may highlight an even greater long-term risk to all infrastructure. Numerous reports – including BlackBerry’s BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps – show that mercenary groups offering APT-style attacks are becoming more readily available. The tactics, techniques, and procedures (TTPs) used in these attacks are beginning to resemble the highly sophisticated state-sponsored campaigns. This means the profile and geography of potential victims has diversified exponentially. And these victims will become increasingly ‘random’ or illogical when analysed for any commonality.
This lack of commonality will also make it harder to identify when nation states are actually behind attacks, as their fingerprints will be largely removed.
Interestingly too, the interconnectedness of the UK’s infrastructure is starting to provide an asymmetric advantage for some nations we traditionally classify as hostile. North Korea, for instance, hasn’t had the resources to upgrade their infrastructures like the much of the west. This means much of the nation’s infrastructure remains unconnected to the internet – making it largely insusceptible to cyber threats. The one-way threat posed by some nations may present a unique challenge to the UK and other highly-connected nations in the years to come.
All of this makes it clear that the UK must continue to double down on cyber security measures — and quickly. Security ‘standbys’ are no longer sufficient to protect critical infrastructure, and employing a reactive approach simply won’t cut it. From the crippling outages like Colonial Pipeline and WannaCry, to the rise in double and triple extortion, it has become more evident in recent years that significant measures are needed to keep these systems safe and intact. Because while this specific attack on Colonial Pipeline targeted just one company, there are all sorts of critical infrastructures that could suffer from potential similar attacks.
It also means that countries need to be honest about these attacks – and seriously think about their resiliency models. It’s important we recognise that these attacks are going to become more common. And that, beyond continuing to invest in the latest technology to help fend off these threats, having strong cyber resiliency plans to minimise the real-world impact of these attacks will be critical. In the long run, it will make targets inherently less valuable for would-be criminals.