‘Living off the land’ a major cyber threat to critical infrastructure, report finds
Pen Sangraksawong via Getty Images
By
Chris Teale
A recent report found that 62% of critical infrastructure operators have been attacked, and more than half have had their operations disrupted.
Most critical infrastructure operators have suffered a cyberattack in the past year and many have been targeted multiple times, according to a recent report by identity security and cyber resilience company Semperis. And hackers associated with nation-states are often inside operators’ systems without them knowing, lying in wait to wreak havoc.
The report released early this month found that 62% of water and power operators in the United States and the United Kingdom have been targeted by cyberattacks in the past year, and of those, 80% have been targeted multiple times. Fifty-nine percent of those surveyed confirmed that cyber criminals sponsored by nation-states were behind the attacks, although experts said that figure could be higher.
More than half — 57% — said the attacks disrupted their normal operations, while 54% suffered permanent corruption or destruction of their data or systems. Also troubling Semperis’ experts: 38% of utilities said they believe they have not been targeted by a cyberattack. Semperis said that may be indicative of those utilities’ lack of cyber preparation, and up against the likes of China, Iran, North Korea and Russia, it isn’t a fair fight.
“It's the definition of asymmetrical warfare: some little 15,000-user municipal facility against the Chinese Communist Party and their army of hackers,” said Sean Deuby, Semperis’ principal technologist. “The challenge that the local facilities have is they don't have the expertise… They don't have the skills, they don't have the money, and they don't have the money to hire the skills.”
One of the techniques used most often by nation-state hackers, and one which should trouble critical infrastructure operators, is so-called “Living off the Land,” where hackers get into a system using legitimate tools and technologies and then wreak havoc. By using those trusted tools, hackers can disguise themselves and their actions as normal processes.
Sandra Joyce, vice president of Google Threat Intelligence, said in an interview on the sidelines of the Google Cloud Next conference in Las Vegas, that it is one of many “new, novel techniques that are making us have to be better at what we do.”
It’s something that all critical infrastructure operators must be aware of, even if they do not think they are under threat. Josh Klemm, chief information officer for the New York State Thruway Authority, said the highway is “incredibly challenging to penetrate,” but entities in the same sector have been contacted about infiltration.
“Would it be naive to say we're crystal clear? Probably,” Klemm said in an interview during Google Cloud Next. “Is there anything that we're concerned about or aware of at this point in time? No.”
Cybersecurity vulnerabilities have bedeviled critical infrastructure for years, especially as much of the operational technology like sensors, controls and other systems is built on legacy systems and so may be at risk, even if they are not connected to the internet. Indeed, experts have warned previously that a “turf war” between OT and IT systems has undermined cyber efforts in critical infrastructure.
“In the era where these were built, reliability was the number one priority, not necessarily security, in some cases,” Joyce said.
And those threats have become all too real in recent times. A group linked to Chinese state-sponsored hackers known as Volt Typhoon had been in the U.S. electric grid for 300 days after breaching the Littleton Electric Light and Water Departments public power utility in Littleton, Massachusetts. A study by industrial cybersecurity company Dragos found that the utility was unable to collect data on their OT systems and needed help fast to remediate the issue.
Chris Inglis, the first U.S. national cybersecurity director and now a Semperis strategic Advisor, said in a statement released by Semperis that attacks like the one in Littleton show that bad actors “are difficult to detect and can remain dormant, planting backdoors, gathering information, or waiting to strike for months or even years.”
Still the biggest issue for utilities and critical infrastructure providers is not having the resources to invest in cybersecurity protections or necessary staff. Lawmakers want to remedy that with two pieces of bipartisan legislation — the Rural Water System Disaster Preparedness and Assistance Act and the Cybersecurity for Rural Water Systems Act — which were recently reintroduced in Congress.
A whole-of-state cybersecurity strategy could also help, as it encourages information sharing between the various levels of government as well as stronger partnerships with the private sector. Ron Bushar, chief security officer for Google Public Sector, said he is also encouraged to see states like Texas, New York City and others thinking about state-level cyber command to coordinate their response to attacks and prepare for future breaches.
Given how high the stakes are if a breach occurs, it makes sense for states to be more invested in helping, Bushar said.
“You don't just have the traditional nation state threats anymore, you've got a lot of criminal actors out there that know that they can extort emergency services, local police… hospitals for money, and they've got some sophisticated capabilities now,” he said. “If you have a part of your critical infrastructure that is exposed, it can have cascading effects, and unfortunately we've seen the impacts of that at a variety of levels.”