CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
Cyber-physical systems consist of smart networked systems that are made up of embedded sensors, processors, and actuators that sense and interact with the physical environment, as well as support real-time performance in safety-critical applications. These systems, some of which comprise Operational Technology (OT) elements (such as industrial control systems (ICS)) that converge with Information Technology (IT) computing platforms, collectively lay the foundations for smart cities. In Singapore’s context, cyber-physical systems are crucial enablers of Singapore’s Smart Nation initiative, which aims to use technology to improve Singaporeans’ quality of life, strengthen businesses, and help government agencies serve Singaporeans better.
Today, cyber-physical systems play huge roles in our daily lives. Some of them include self-driving cars and drones, highly-customised Supervisory Control and Data Acquisition (commonly known as SCADA) systems that are found in critical infrastructure (e.g. water treatment plants, power stations and grids, and petrochemical plants) and ICS, and even bedside medical monitors in hospitals. While cyber-physical systems have unleashed infinite opportunities for cities all over the world to embrace smart technology and become smart cities, however, there are growing concerns that cyber threat actors are targeting them for malicious agendas. This edition of CyberSense takes a look at disruptive threats against business operations related to cyber-physical systems in recent years and their impact.
Cyber-attacks against cyber-physical systems used to be popular plots in science fiction and were largely theoretical. However, the successful deployment of the Stuxnet computer worm targeting air-gapped SCADA systems in 2010 is testimony to how such cyber-attacks are no longer a fantasy. More worryingly, while such capabilities used to belong only within the arsenals of a select group of state-sponsored actors, cybercriminal gangs have also begun to carry out disruptive attacks. A number of high-profile incidents have demonstrated that business operations can be impacted when interdependent IT networks and key business functions are compromised, resulting in massive financial losses and service disruption, and sometimes human lives being nearly harmed:
- In December 2016, a sophisticated malware “Industroyer” found planted in the network of Ukraine’s national power grid operator, Ukrenergo, reportedly caused a major blackout across Ukraine’s capital Kyiv for an hour and affected more than 250,000 residents. Investigations revealed how “Industroyer” was designed to disable fail-safe devices, create conditions that would cause physical damage to the targeted substation, result in massive power outages for prolonged periods, and even harm workers attending to the situation physically. Notably, “Industroyer” is the first known malware specifically designed for attacking power grids, and one of a handful of known malware targeting ICS.
- In August 2017, hackers allegedly compromised an unnamed petrochemical plant in Saudi Arabia with the “Triton” malware, which was coded to take over and disable Schneider Electric’s Triconex industrial safety instrumented systems – systems meant for preventing accidents or sabotage at the plant. A flaw in the malware, however, prevented hackers from potentially releasing toxic gases or causing explosions, thereafter putting lives at risk both to the plant and its surrounding areas.
- In February 2020, the US Department of Homeland Security said that an unnamed US-based natural gas-compression facility shut down its operations for two days after suffering a ransomware attack. The unnamed malware reportedly spread to the facility’s OT network, and prevented personnel from receiving real-time operational data from control and communication equipment for monitoring the facility’s physical processes.
- In February 2021, an unknown hacker tried to poison the water supply of Oldsmar, Florida in the US after gaining access into the computer system of the town’s water treatment plant, and briefly changed the concentration of lye (also known as sodium hydroxide, and used in water treatment to control water acidity) to dangerous levels. Plant operators noticed and reversed the change immediately. They also observed how someone took control of the mouse cursor via the remote access software TeamViewer, and then made changes to the software that controlled functions for water treatment.
- In May 2021, the Colonial Pipeline Company in the US suffered a ransomware attack that locked up their IT network, which included its business and accounting functions. The inability to bill customers led to the company’s decision to shut down the pipeline’s operations. The shutdown resulted in fuel shortages and panic buying throughout affected US states.
DISRUPTIVE THREATS AGAINST BUSINESSES ARE RISING
Based on the above cyber incidents, the threat against business operations either by impacting OT elements of cyber-physical systems directly or through dependent business functions is increasing globally. A substantive example would be the Colonial Pipeline ransomware attack. While Colonial’s OT and IT systems appeared to be separated, there exists both operational and business dependencies between the two systems. When the billing system (part of Colonial's IT systems) was compromised, the company made the operational decision to shut down the pipeline operation, despite the fact that Colonial’s OT systems were not impacted by the ransomware attack. The calculus behind Colonial’s decision epitomised the concern of how operational and business dependencies can be a point of disruption for key business processes, even when the relevant technical systems are not directly hit in a cyber-attack.
Notably, the attack surface beyond organisational IT/OT networks has also been greatly expanded to provide further entry points for threat actors to leverage and carry out attacks. This is facilitated by the extensive linkages of cyber-physical systems not just to organisational IT networks, but also to vendors’ networks as part of global supply chains, and even to Internet of Things (IoT) devices for acquiring and analysing data to monitor the networks’ various connected systems. Therefore, the incidents highlighted earlier also underscore the need for organisations to pay close attention to the security of their system linkages, especially components that were previously not regarded as potential attack vectors. Such a need is amplified by the fact that threat actors are known to launch cyber-attacks using advanced exploits, including zero-day exploits purchased from underground markets, custom malware, and tailored infrastructure for individual targets that were not previously known.
Lastly, threats to organisations can manifest under different circumstances. Threat actors and cybercriminal gangs may compromise targeted elements of an organisation’s cyber-physical systems for industrial espionage, or even to pre-position malware for future disruptive attacks. They will then be able to trigger the malware against the targeted systems to cause disruption in support of their larger objective when they want to do so.
Worryingly, global research and advisory firm Gartner have predicted that the financial impact arising from cyber-physical attacks which result in fatal casualties will reach over US$50 billion by 2023. In the face of increasing cyber threats globally, there is a pressing need for organisations to take necessary action to review their security preparedness and raise their security posture, as cyber-physical systems increasingly go online and are transformed digitally to meet growing business demands. Such actions include:
- Proper Asset Visibility and Management: Maintain full asset visibility within the organisation’s environment and ensure appropriate security controls are implemented to protect assets.
- Internal System Protection:
- Implement network segmentation within the environment, and limit communications between different network zones.
- Enhance monitoring and detection capabilities to identify anomalous activities within the environment.
- Business Continuity and Recovery:
- Map out dependencies between operations and business flows, and develop appropriate contingency plans into business continuity plans (BCPs).
- Cement the organisation’s readiness in dealing with an attack, through practising business continuity and incident response plans, by involving appropriate key decision makers and employees from both operations and business functions.
- Cybersecurity Awareness: Raise cybersecurity awareness among employees, contractors and third-party vendors who have access to the organisation’s systems.
In particular, SingCERT’s advisory on Ransomware: A Growing Cybersecurity Threat to Businesses provides preventive measures against ransomware that all businesses can adopt, as ransomware emerges as a clear threat to all organisations big and small.
Ars Technica, BBC, CSO, FutureGov, Gartner, MIT Technology Review, National Science Foundation, Newsweek Vantage, NIST, Singapore’s Operational Technology Cybersecurity Masterplan 2020, Tech Monitor, TechRadar, US Department of Homeland Security, Wired.