If you’re a utility company, then you’ve probably already received warnings from the Department of Homeland Security about nation-states that are trying to infiltrate and disrupt the United States electrical grid.
But new reporting by the Washington Post suggests nefarious actors from Russia, China, Iran and the like actually aren’t a utility company’s biggest concern. Ironically, cybersecurity researchers like Boston-based Cybereason are more concerned about amateurish cybercriminal groups than they are about sophisticated actors with far more resources.
While this is perplexing on its face, the reasoning behind it is actually quite simple.
If you were to have your wallet stolen by a thief, would you rather that thief be a desperate teenager wielding a gun or a seasoned pickpocket whose main goal is being undetected?
“[Cybercriminal groups are] more prone to make mistakes, and they’re trying to get into the system as quickly as possible, which is different from the groups that DHS talks about that are very slow and methodical.” - Ross Rustici, Senior Director of Intelligence for Cybereason
Obviously, we’d prefer not to have our wallets stolen at all! However, if it has to happen, it’s best that it isn’t done by someone who might additionally cause us physical harm on top of the financial harm they’re inflicting.
The same can be said about the difference between cybercriminal groups vs nation-state actors.
Why Cybercriminal Groups Pose a Greater Threat Than Nation-States
As Cybereason explained to the Washington Post, the differences between your run-of-the-mill cybercriminal and a nation-state actor begin with motive.
Nation-state actors are directed by governments. Therefore, their goals tend to be wide-ranging and their attacks sustaining. A nation-state might infiltrate utility companies undetected and remain hidden in their systems for years—collecting information and reporting it back to their government agencies as they await further instructions.
The goal of the nation-state actor isn’t necessarily disruption and destruction. They may simply be committing espionage—stealing intellectual property and disseminating corporate secrets.
A cybercriminal, on the other hand, is more often looking to monetize their exploits.
We’ve heard about ransomware attacks before. A bad actor injects a computer or network with malware that encrypts all files and demands a ransom be paid to have them returned, less they be destroyed.
Attacks like these, or ones that similarly lead to some sort of payout or monetary extraction, are often the goal of cybercriminals. However, since these actors are motivated by money and extortion rather than eavesdropping and espionage, they tend to be less careful and not at all concerned about collateral damage.
“[Cybercriminal groups are] more prone to make mistakes, and they’re trying to get into the system as quickly as possible, which is different from the groups that DHS talks about that are very slow and methodical,” Ross Rustici, Cybereason’s senior director of intelligence, told the Washington Post’s Derek Hawkins. “A lot of nation state groups will invest time and money to practice on mock-up networks to avoid detection ... Cybercriminals don’t have the time, resources or care for this because they’re looking for a quick buck.”
IIoT: Where Cybercriminal Groups Pose the Greatest Threat to Society
It’s not just utility companies that need to be vigilant. As DHS has publicly stated, nation-state actors are attacking all forms of critical infrastructure, from power grids to wastewater facilities, manufacturing plants, nuclear reactors and more.
And, if a nation-state is targeting these resources, researchers say, you better believe that cybercriminal groups are too.
The problem here lies within Rustici’s quote above. Since these cybercriminal groups are resource restrained, they can’t practice their attacks in simulated environments first, like their nation-state counterparts. Often, the first time they’re seeing the systems they’re attacking is upon gaining access. For a bad actor, this kind of scenario makes executing their exploit like throwing a dart in a pitch-black, crowded room—they might hit the bullseye, but they might also hit someone in the eye causing chaos to ensue.
Unfortunately, we’ve already seen a couple of real-world examples of what happens when a cybercriminal group misses the bullseye.
One such example, as Wired reported back in Jan. 2015, occurred when cybercriminals targeted an unnamed steel mill in Germany causing extraordinary collateral damage when, upon disrupting control systems to gain access to the plant, they sent a blast furnace into overdrive essentially causing it to self-destruct.
The furnace was by no means the target of this attack and had the cybercriminals had a choice in the matter, they most likely would have tried to avoid such a scenario. But the fact that they couldn’t says a lot about the threat that they pose—and a bit about the embedded systems they’re disrupting when they gain access to our critical infrastructure.
IIoT Without Security Is the Greatest Threat to Critical Infrastructure
Electrical grids, wastewater facilities, nuclear reactors and the like are jam-packed with embedded systems. These systems were primarily designed to help machines and large pieces of equipment communicate with one another, in order to make them more efficient.
One of these embedded systems, for example, might tell the blast furnace in our example above to turn on or off.
In order to communicate with one another, these machines need to connect to a network—and their ability to connect to a network also allows them to connect to the internet.
These legacy systems, however, were not necessarily built with IIoT in mind, and therefore they tend to lack the sophisticated level of security that is necessary to ensure an amateur attacker doesn’t flip a switch they’re 1) not supposed to and 2) not intending to.
Worse yet, this is not a vulnerability that can simply be patched with a few lines of code. Most devices today, IIoT included, are “secured” by software. But, software is inherently flawed.
According to well-established research, there are about 15 bugs per 1,000 lines of code on average. Further analysis has shown that, of those 15 bugs at least two percent can be turned into exploitable vulnerabilities. Therefore, trying to fix a security problem by layering software on top of it just creates a new, slightly more complex security problem.
Rather, the only way to seriously solve the IIoT security problem, and to ensure cybercriminal groups can’t cause harm in the physical world based off their digital exploits, is by completely rethinking cybersecurity as we know it.
Since we can’t write perfect software, there will always be software bugs to exploit. But what if a piece of hardware, built directly into the SoC, could act as a check on the instructions the security software is firing?
The idea of a Sentry Processor that acts as a bodyguard to the host processor by flagging malicious code and stopping attacks before they even occur, is no longer a pipe dream. Today, this technology already exists and can be used to create fail-safes for switches in our critical infrastructure.
Building the next generation of IIoT embedded systems this way, with hardware designed with security in mind, can help deter cybercriminal groups and thwart the worst-case scenario when deterrence doesn’t work.
To learn more about securing the IIoT through software and hardware, read our blog on How CoreGuard Enforces IoT Security, Safety, and Privacy, today.
Want to learn more about how we can secure Industry 4.0? Join us on February 6th at 2PM EST for our first webinar of 2020, "The Cybersecurity Stack: How to Secure Industry 4.0."