INSIGHT

One click from meltdown - cyber attacks on critical infrastructure

By Gavin Smith, Valeska Bloch
Cyber Data & Privacy Infrastructure & Transport Technology & Outsourcing Technology, Media & Telecommunications

In brief

Security experts have been predicting for some time that as critical infrastructure networks become 'smarter, more automated and more connected', they will also become more vulnerable to cyber threats.1 Reports last week of extensive attacks on critical infrastructure by hackers associated with the Russian state, not to mention a recent spate of cyber attacks on nuclear plants in the US and power stations in the Ukraine, are a sobering indicator that these predictions are now a reality.2 In response, governments globally are taking steps to further regulate critical infrastructure sectors, to bolster their security. At home, the Security of Infrastructure Act 2018 (Cth) (the Act) received Royal Assent on 11 April 2018 and takes steps to better secure Australian infrastructure against espionage or cyber attacks that threaten national security. This article looks at the critical infrastructure threat landscape, and some recent examples, as well as the steps the Australian and other governments globally are taking towards a comprehensive framework for managing and protecting critical infrastructure assets.

Key takeaways

  • Critical infrastructure is particularly vulnerable to cyber espionage, because damage just to one piece of critical infrastructure can have a widespread and damaging impact on an entire economy, and even on people's lives. This makes critical infrastructure assets enticing targets for state-sponsored, terrorist and financially motivated hackers.
  • The Australian Government has passed the Act to address these concerns. The Act is not intended to deal with all dangers related to cyber security—it is a purposefully narrow response to specific concerns about foreign ownership of ports, gas, electricity and water assets (telecommunications assets are regulated separately).
  • The Act imposes strict reporting obligations on asset owners and operators in the ports, gas, electricity and water sectors. It also creates a 'last resort' power, which the Minister of Home Affairs can use to direct asset operators to take steps to mitigate national security risks.
  • The legislation reflects the prevailing attitude globally to cyber protection: that governments must play a greater role in the management of privately operated critical infrastructure assets. Similar approaches have been taken in the US, through the implementation of the NIST Framework across all public and private organisations, and in the UK, which will implement the EU Network Information Security Directive this month.
  • Even though cyber attacks are becoming more potent and frequent, they can still be countered effectively. For example, in August 2012, hackers gained access to oil giant Saudi Aramco's computers, and released a virus that erased three quarters of the information on its servers. The company immediately shut down the internal network, and the fact that the company had segregated its internal network from its oil production operations limited the catastrophic financial and environmental damage that might have ensued if it had lost control of its oil rigs.3

The critical infrastructure threat landscape

Critical infrastructure refers to the facilities, systems and assets the destruction or unavailability of which would significantly impact on a nation's security, public health or economic security. This includes physical assets, such as oil rigs, power plants, hospitals, dams, transport storage facilities and military bases, as well as virtual systems, such as communications networks and financial systems. It also covers both state-owned and privately owned infrastructure.

When it comes to cyber security, critical infrastructure sits high on the threat matrix. From 2016 to 2017, Australia's Computer Emergency Response Team responded to 734 incidents affecting private sector systems of national interest and critical infrastructure providers.4 In 2014, 67 per cent of companies with critical infrastructure suffered at least one attack during the year.5

The increased-threat landscape and destructive capacity of these attacks can be attributed to several factors:

  • Proliferation of state-sponsored cyber attacks, as nation states turn to cyber warfare as a remote and plausibly deniable way of obtaining information and disrupting their rivals. Verizon reports that 12 per cent of 2216 confirmed data breaches in 2017 involved actors identified as a nation state or state affiliated.6 State-affiliated actors are responsible for 93 per cent of cyber espionage attacks, with the remaining 7 per cent made up of competitors, former employees and organised crime groups.7
  • Critical infrastructure is a lucrative target for financially motivated attacks. In the case of ransomware attacks, critical infrastructure organisations are left in the difficult position of having to pay the attacker, or risk disruption to vital services (e.g. around 19,000 medical appointments were cancelled or disrupted as a result of the May 2017 WannaCry ransomware attack, which affected the UK's National Health Service).
  • Our networks are becoming increasingly interconnected, as a result of the acceleration of the Industrial Internet of Things.8 This means that an attack on one piece of critical infrastructure, like a data centre, can spread through its interconnected network of users, and potentially cause a much wider shutdown of key services across many industries. Again, the May 2017 WannaCry ransomware attack saw a 'computer worm' in just one computer spread to 230,000 computers and disrupt multiple sectors, including those of Spanish telecom giant Telefonica, and German railway network Deutsche Bahn.9
  • Protective measures against attacks on critical infrastructure can be difficult to implement. This is because, for the most part, security updates are done through patches, which sometimes require systems to be taken offline.10 Even where patches do not require taking a system offline, there is always some risk the changes will disrupt the system. Many legacy systems also operate on out-of-date operating systems for which no patches are available. For instance, many of the systems targeted by WannaCry and NotPetya used outdated Microsoft Windows operating systems like Windows XP, which no longer receives security updates.
  • Recent changes to give consumers more control over data have introduced more vectors for cyber attacks. For example, the introduction of smart electricity metering, which gives consumers access to their energy consumption data, means that hackers can now use consumer terminals to break into the broader system.11
  • Poorly designed systems and human error can wreak havoc on critical infrastructure even in the absence of malice. In January 2018, an official at the Hawaii Emergency Management Agency accidentally issued a ballistic missile alert, which resulted in messages being sent to all mobile phones in the state.12 The interface was poorly designed and did not allow false alarms to be retracted.13 The state of Hawaii suffered significant tangible ramifications, not to mention reputational costs. The Emergency Management Agency's approach to information security has been questioned, and a full review of its management systems and procedures is being conducted.14 Similar systems could be targeted by hackers to cause deliberate disruption.

Recent attacks on critical infrastructure

Some recent examples demonstrate the scope and impact of cyber attacks on critical infrastructure globally.

  • Attacks by Russian-sponsored hackers on network devices in the US, UK, Australia and Europe were publicly revealed in April 2018.15 The US Department of Homeland Security's Computer Emergency Readiness Team reported that compromised routers had been used for 'man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.'16 The Australian Cybercrime Security Centre announced that, potentially, 400 Australian companies had been targeted in these attacks.17
  • In October 2017, a new strain of ransomware called 'Bad Rabbit' began to infect corporate networks in eastern Europe. To date, it has affected Russian media organisations and an airport in Ukraine.
  • In June 2017, the NotPetya attack used ransomware hidden in false Microsoft Office templates to infect more than 2000 computers in the Ukraine. The ransomware was designed to make it impossible to restore infected systems even if a ransom had been paid. It could also search for user credentials on infected computers, giving attackers control over the entire network. Affected assets included Vodafone Ukraine, multiple gas stations, banks, TV channels and transport facilities, as well as the Kiev International Airport.18
  • In May 2017, the WannaCry attack used ransomware to encrypt the data of 230,000 computers in 150 countries. Among the affected systems were the UK's National Health Service, Spanish telecom giant Telefonica, and German rail network Deutsche Bahn. The attack caused up to $4 billion in losses.19
  • In 2017, spear phishing emails were used to attack the Wolf Creek Nuclear Operating Corporation in Kansas in the US. It was suspected that the attack was carried out by the 'Energetic Bear' organisation, a Russian hacking group that has been tied to attacks on the energy sector since 2012.20 There was allegedly no damage, but the Department of Homeland Security declared that other unnamed plants had also been targeted.
  • Over the course of 2015 and 2016, the Lazarus group – a cyber-criminal organisation with ties to North Korea – hacked into the systems of a number of banks and proceeded to send fraudulent transfer messages. The group stole millions of dollars, including $101 million from the Bangladesh Central Bank, by stealing the legitimate credentials of banks, and then requesting transfers from other banks.
  • In December 2015, unknown hackers launched a supervisory control and data acquisition cyber attack on power stations in the Ukraine. Using spear phishing emails to induce individuals at the power stations to disclose sensitive security information, the attack left 230,000 people in western Ukraine without power for hours. In December 2016, the Ukraine was again targeted – this time, it was the Pivichna electricity substation near Kiev. The attack caused an hour-long blackout in the surrounding areas.

Developments in Australia

The Critical Infrastructure Centre

The Australian Government established the Critical Infrastructure Centre (CIC) in January 2017. The CIC works directly with government and critical infrastructure owners and operators, to manage 'complex and evolving national security risks'21 that directly affect critical infrastructure.22

Its five priority sectors are telecommunications, electricity, gas, water and ports.

The Security of Critical Infrastructure Act 2018

The Security of Critical Infrastructure Bill was introduced in December 2017 and received Royal Assent on 11 April 2018.23 This Act will take effect on 11 July 2018.24

The legislation will assist the CIC in its undertaking of national security risk assessments, and its provision of national security advice to FIRB regarding proposals by foreign persons to acquire critical infrastructure assets, including in relation to risks involved though foreign 'ownership, offshoring, outsourcing and supply chain management'.25 The Act regulates four of the five 'highest-risk' sectors: ports, gas, electricity and water but not the telecommunications sector, which is separately regulated by the Telecommunications and Other Legislation Amendment Act 2017 (Cth).26

The legislation creates a critical assets register, and gives the Minister of Home Affairs a 'last resort' power to direct an owner or operator of a critical infrastructure asset to mitigate national security risks.

The register will represent a complete record of critical infrastructure assets in Australia. Owners will be obliged to register their assets, and to notify the CIC of an intent to divest or acquire an asset. The register must also, among other things, log the location of the asset and the details of entities in a position to influence or control the asset, including entities in a position to influence or control an entity that directly owns an asset. This could include the details of individuals who are part of the management structure, and entities that are in a position to exercise voting or veto rights. The Register will be maintained by the Secretary of the responsible Department (currently the Department of Home Affairs)27 and will not be made public.28 For an in-depth look at the reporting requirements under the Act, please see our Client Update: New Reporting Requirements for Critical Infrastructure.

The 'last resort power' allows the Minister of Home Affairs to direct owners of assets in high-risk sectors to mitigate a security risk that cannot otherwise be mitigated. That decision would be subject to judicial review.

Non-compliance with the Register obligations and the information-gathering and last-resort powers will attract civil penalties,29 enforceable undertakings and injunctive relief. The only criminal offence in the Act relates to unauthorised disclosure of protected information obtained under the Act.30 The maximum penalty for that offence is imprisonment for two years, 120 penalty units (currently $25,200), or both.31

Global developments

Other countries have taken similar steps towards a comprehensive framework for managing and protecting critical infrastructure assets.

US: In February 2013, Barack Obama issued Executive Order 13636, 'Improving Critical Infrastructure Cybersecurity'. It called for a voluntary and technology-neutral cybersecurity framework for critical infrastructure sectors. As a result, the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was released. It represented a 'joint effort between industry and government' to protect critical infrastructure. The Framework is not limited in scope, like the Australian Critical Assets Register, and applies to all public and private organisations. ASIC has previously used the NIST Framework to carry out cyber-risk assessments on the ASX and Chi-X securities exchanges.32 An updated version of the Framework was released on 16 April 2018.33

UK: The Network and Information Systems Regulation 2018 came into force on 10 May 2018 to implement the EU Network Information Security (NIS) Directive in the UK.34 The legislation, alongside guidelines published by the National Cyber Security Centre, imposes a set of cyber security standards for critical infrastructure. It is wider in scope than the Australian law, extending to the electricity, transport, water, energy, health and digital services sectors. Notably, it does not include nuclear operators or financial trading platforms. It also specifies sector-specific regulators to which significant incidents must be reported. Regulators will have the power to issue instructions to rectify failures to comply with security duties under the regulation, and to impose fines of up to £17 million, if appropriate.

Footnotes

  1. Cisco, White Paper: Addressing Critical Infrastructure Cyber Threats for State and Local Governments.
  2. Tom Ball, 'Top 5 critical infrastructure cyber attacks', Computer Business Review (18 July 2017).
  3. Cisco, White Paper: Addressing Critical Infrastructure Cyber Threats for State and Local Governments.
  4. Australian Cyber Security Centre, 2017 Threat Report.

  5. Unisys and Ponemon, Critical Infrastructure: Security Preparedness and Maturity (July 2014).
  6. Verizon, 2018 Data Breach Investigations Report.
  7. Ibid 23.
  8. Cisco, White Paper: Addressing Critical Infrastructure Cyber Threats for State and Local Governments.
  9. Andrew Liptak, 'The WannaCry ransomware attack has spread to 150 countries', The Verge (14 May 2017).
  10. Peter Ray Allison, 'How secure are smart energy grids?', Computer Weekly (January 2018).
  11. Alfred Ng, 'Cybersecurity at power plants needs advice it can actually use', CNET (1 March 2018).
  12. Colin Lecher, 'Here's how Hawaii's emergency alert design led to a false alarm,', The Verge (18 January 2018).
  13. Devin Coldewey, 'Hawaii's emergency alert interface looks straight out of the '90s', TechCrunch (17 January 2018).
  14. John Hendel, 'Hawaii to blame for false alarm, FCC chief suggests', Politico (14 January 2018).
  15. United States Computer Emergency Readiness Team, Alert (TA18-106tA) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, (16 April 2018).
  16. Ibid.
  17. Stephanie Borys, 'Russian hacking: Up to 400 Australian companies caught up in cyber attacks blamed on Moscow, ABC (17 April 2018).
  18. Ukrinform, Cyber-attack on Ukrainian government and corporate networks halted (26 June 2017).
  19. Jonathan Berr, 'WannaCry ransomware attack losses could reach $4 billion', Money Watch (16 May 2017).
  20. Nicole Perlroth, 'Hackers are targeting nuclear facilities, Homeland Security Dep't and FBI say', New York Times (6 July 2017).
  21. Australian Government, Strengthening the National Security of Australia's Critical Infrastructure – Discussion Paper.
  22. According to the Australian Government's fact sheet, critical infrastructure includes 'those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security'. Australian Government, Fact Sheet – What is the Critical Infrastructure Centre?.
  23. Security of Critical Infrastructure Act 2018 (Cth).
  24. Security of Critical Infrastructure Act 2018 (Cth), s 2.
  25. Australian Government, Fact Sheet – What is the Critical Infrastructure Centre?.
  26. Attorney-General's Department, Submission to the Parliamentary Joint Committee on Intelligence and Security.
  27. Security of Critical Infrastructure Act 2018 (Cth) s 19.
  28. Security of Critical Infrastructure Act 2018 (Cth) s 22.
  29. There are civil penalty provisions in relation to: initial and ongoing obligations to give interest and control and/or operational information and notify of events (50 penalty units – $10,500) (ss 23-24), the requirement to comply with a ministerial direction (250 penalty units – 52,500) (s34), the Secretary's power to obtain information or documents (150 penalty units – $31,500) (s37), and the requirement to notify a change to the reporting entities for an asset (150 penalty units – $31,500) (s52). For the purposes of some civil penalty provisions, each day of non-compliance is treated as a separate contravention, which means penalties can quickly add up if problems are not swiftly addressed.
  30. Explanatory Document to the Security of Critical Infrastructure Bill 2017, [41].
  31. Security of Critical Infrastructure Act 2018 (Cth) s 45.
  32. Australian Securities and Investment Commission, 'Cyber resilience assessment report: ASX Group and Chi-X Australia' (March 2016).
  33. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (April 15, 2018).
  34. Government of the United Kingdom press release, 'Government acts to protect essential services from cyber-attack' (28 January 2018).