Powerless: DDoS and Critical Infrastructure

Posted: 28th June 2019 10:13

Critical infrastructure, as its name suggests, is rather important to the ability of a modern nation to function. The term critical infrastructure usually applies to things like power and water (i.e. the things that, if unavailable for an extended period of time, have a serious negative ability on peoples’ ability to go about business as usual).
Since critical infrastructure is so vital, it’s important to protect it. However, this can be more difficult than it would seem. A lot of the critical infrastructure in many countries is pretty old since it has to be functional 24/7 and is difficult to update or replace. However, these components are increasingly being connected to the Internet to facilitate monitoring and remote management, something that they were never designed to do. As a result, these devices are a prime target for cyberattacks like Distributed Denial of Service (DDoS) attacks, making the need for cybersecurity solutions (like DDoS mitigationsoftware) even more pressing.
The Changing State of Critical Infrastructure
Critical infrastructure has been around for a long time. We’ve had access to electricity, water, etc. much longer than we’ve had the Internet. As a result, it’s not uncommon to find critical infrastructure components that are over forty years old. These devices were never designed to be connected to the Internet, but have been anyway in the name of convenience.
Newer devices have also entered the critical infrastructure scene with the advent of the Internet of Things (IoT) and Industrial IoT (IIoT) devices. Just like the smart camera that you may have monitoring your home or your smart thermostat that allows you to control the temperature from a smartphone app, these devices are designed to make remote management of critical infrastructure components possible, which is convenient since they are often located in places that are not easily accessed.
The problem with connecting legacy systems to the Internet and the fact that critical infrastructure is increasingly using IoT is that both of these are known for their poor security. With IoT manufacturers, security seems to be the lowest priority (if it makes the list at all), leaving organizations and individuals with insecure devices that, nonetheless, have a lot of power and access to sensitive and private data.
When Cyber Goes Physical
The potential for cyberattacks against critical infrastructure really hits home when it’s demonstrated that such attacks are not just possible but actual threats to national security. Cyberattacks against the power sector in particular have been demonstrated to be a real concern by multiple attacks in recent years.
When attacking the power sector, the primary goal is typically a Denial of Service attack. While these organizations often have access to potentially sensitive information (billing records, etc.), it’s possible to get a much bigger, much more visible impact if you can just shut off the power. Since this type of attack is typically easier than stealing sensitive data from a secured target, it’s not surprising that it’s happened a few times already.
Attacks against the Ukraine are probably the most famous example of a cyber-physical attack. In December 2016, a group of hackers (supposedly associated with Russia), used a malware variant called CrashOverrideto take down electricity in a significant part of the Ukraine. This isn’t the first time that they’ve done this either. In 2015, the same group performed a similar attack using a different set of tools. The CrashOverride malware demonstrated a very detailed knowledge of how the Ukrainian power systems worked and had the ability to completely control infected substations. While the attack only knocked out power for a few hours, it demonstrated that such attacks are definitely possible and that certain groups have the knowledge and willingness to carry them out.
A less famous attack on the power sector was the recent Distributed Denial of Service (DDoS) attack against the United States Department of Energy (DoE). This attack was a bit different in that it didn’t actually cause a power outage but did have a significant impact on the operations of the affected power companies (likened to that of a major thunderstorm or fuel shortage). The fact that the attack didn’t knock out the power makes it seem less important, but the implications of the attack are still significant.
The attack against the US DoE was a successful, recent DDoS attack against US critical infrastructure.
The fact is that, if the critical infrastructure systems were properly protected, this should not have been possible. DDoS mitigation solutions exist, and can (and should) have been in place to protect these critical assets. While the attackers were unable to bring down the power this time, a stronger attack may have more significant and far-reaching effects.
Protecting Critical Services
The attacks against the Ukrainian and United States power grids are significant in that they demonstrate the real vulnerability of critical infrastructure to cyberattacks. Critical infrastructure has been connected to the Internet to form “smart grids”, but it has not had the proper safeguards put in place to protect it.
The Ukrainian and US attacks differed significantly in methodology but were similar in that they were likely preventable. In the case of the CrashOverride malware, while the malware variant may have been unknown, it caused power stations to take anomalous actions that brought down the grid. Behavioral monitoring software (similar to that used for user behavior monitoring) is available and may have been able to detect and prevent the attack.
In the case of the DoE attack, the threat actors used a Distributed Denial of Service (DDoS) attack. This type of attack is becoming increasingly common, and DDoS mitigation solutions are available to combat it. Internet-connected critical infrastructure (and all other organizations with a web presence) should have these solutions in place to protect it. If the DoE had done so, this attack never would have succeeded.