A joint advisory by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) was issued late last week that warned companies operating in critical infrastructure industries about an advanced persistent threat (APT) group that was specifically targeting industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.
The threat group is believed to be targeting the systems in order to disrupt operations which could in turn delay production, result in financial losses, and shut down facilities. It is also believed that the APT group could also be seeking physical destruction of equipment and to sabotage processes so that products are defective or machine malfunctions.
Warnings have already been issued by the White House that Russian attackers have been detected probing critical infrastructure companies for vulnerabilities and weaknesses. One only need to look at the example of Colonial Pipeline and the effects that it had to see the possible ramifications of these types of attacks on oil and gas pipelines or energy companies. Just a couple weeks ago, Oil India suffered a ransomware attack with a demand of US$7.5 million to recover their computer systems. While drilling was not affected, all other computer systems were knocked offline and the company is expected to incur significant financial losses.
There also have been several attacks, possibly coordinated, against oil pipelines in Europe as well as an attack on 21 natural gas suppliers within the US in the weeks before the Russian invasion of Ukraine in the past few months.
All of these attacks could be an exercise in trying to find a way in to disrupt power supplies, stop oil production, or halt the distribution of fuel. And a recent report on the state of readiness of critical infrastructure organization is disturbing.
As CISA Director Jen Easterly says, this situation is “all about preparation, not panic.” Critical infrastructure companies, such as oil and gas, need to prepare for the when a cyber-attack occurs, not the if one does. As Former FBI Director Robert Mueller famously said “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”