Ken Spinner, VP of Field Engineering at Varonis comments:
The idea that an employee at one of these facilities can open the door to an attack that brings down our power grid simply by clicking on a phishing attempt is a loud wake-up call. Companies in critical sectors must provide the necessary resources to find and address the serious threats posed by these types of attacks. This, in conjunction with air-gapped networks and proper security controls, is required at a minimum.
Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities. The concern over state-sponsored hackers using malware to attack critical infrastructure is no longer theoretical. We got a glimpse of what’s possible when the Ukraine’s power grid was partially disrupted in 2015 and again in 2016.
Unlike ransomware which needs to be detected eventually (so victims can pay the ransom), APTs will try to remain undetected as long as possible to do the most damage. Attackers will often establish numerous footholds within a network and attempt to remain undetected while mapping systems and locating key documents, emails, and user accounts.
We’ve seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server Worm, Slammer, infected an Ohio-based nuclear power plant network in 2003, causing a temporary outage. The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers.”