As organizations attempt to manage remote and hybrid workforces, adopt digital transformation, and contend with global instability, threat actors are capitalizing on an expanded attack surface and vulnerability shift — becoming bolder, more sophisticated, and damaging in their attacks. As a result, we’ve seen an emergence of disruptive cybersecurity threats targeting critical infrastructure organizations. Ranging from disruption to operations and business processes to safety risks. Adversaries are continuing to adapt, making it more important than ever to understand today’s top cybersecurity threats and the best practices to implement in order to harden your security defenses and protect your business.
1. Top Cyber Threats Today
2. Examples of Industrial Cyber Threats
3. Examples of Healthcare Cyber Threats
4. Best Practices
Preventing breaches starts with understanding what cybersecurity threats are affecting organizations today. Gaining the knowledge on what opportunities adversaries are looking for to easily exploit is the first step in staying ahead of their attacks and ensuring cyber and operational resilience.
Although not a new cybersecurity threat, ransomware has grown in recent years due to the global pandemic and rapid adoption of borderless work. Overnight, organizations were forced to adopt remote and hybrid work environments without the time to put proper security protocols and systems in place — leading to unsecure remote access. The pandemic also accelerated the use of new, and unsecure technologies, introducing the risk of vulnerabilities and expanding the attack surface as the extended internet of things (XIoT) becomes increasingly interconnected. This level of interconnectivity has caused adversaries to become increasingly targeted in their ransomware strategies, shifting from opportunistic, spray-and-pray cyberattacks to a more deliberate approach that intentionally seeks to exploit specific companies with low tolerance for operational downtime.
The convergence of information technology (IT) and operational technology (OT) has provided organizations across all industries with numerous benefits including improving visibility into their operations, increasing automation and efficiency, reducing downtime and maintenance costs, and enhancing overall productivity. Although this convergence has optimized the collection and exchange of data between machines, its interconnectivity has broadened the attack surface, giving attackers new ways to infiltrate the environment. Many times, the devices, software, and systems impacted by IT/OT convergence are left unprotected due our next threat to cybersecurity:
Traditionally, IT and OT systems have been managed separately, with IT systems focused on computing and managing data, and OT systems focused on controlling and monitoring events, physical processes, and devices. Due to their distinct differences, they have required oversight from radically different teams, with unique skill-sets. However, in the current technology landscape, the worlds of IT and OT are converging, requiring a single, unified approach to IT and OT security processes. Most organizations struggle with a lack of security coordination in their operations, as their teams are siloed and lack the same goals and objectives. Without clear communication and coordination between the IT and OT departments, organizations will struggle to implement effective security protocols and strategies — leaving them vulnerable to the increasing threat landscape.
That’s why the Transportation Security Administration (TSA) has issued cybersecurity directives for rail, air, and pipeline transportation. As a result of persistent cyber threats against U.S. critical infrastructure, the TSA has taken emergency action to strengthen cybersecurity resilience and prevent operational disruption and infrastructure degradation. The TSA cybersecurity directives require organizations to implement network segmentation policies and controls to ensure operational technology (OT) systems can continue to operate safely in the event that an information technology (IT) system has been compromised, and vice versa. This policy will ensure that organizations can verify if the right segmentation policies are in place to prevent the lateral movement of attacks from IT to OT. And, ensure that IT and OT teams communicate and operate effectively with one another to prevent the spread of attacks.
Along with siloed business units, many organizations also face resource constraints related to limited staff and lack of funding. Without the proper business units in place, organizations may struggle with managing their day-to-day IT infrastructure, let alone address the added responsibility of cybersecurity across the entire XIoT. Similarly, organization’s who suffer from a lack of funds to contribute towards cybersecurity measures may not have the resources to successfully implement cybersecurity solutions or hire qualified talent to manage security operations. This coupled with already limited staff will leave organizations especially vulnerable to threats.
Unlike IT systems, OT systems tend to have unique hardware and software architectures, specialized protocols, and different performance requirements. OT systems also many times are connected to legacy devices, which operate on outdated software and are difficult to replace. These factors make IT security tools unsuitable for protecting OT environments, and if used, could cause disruptions to critical operations. For example, using IT security tools to scan an OT system for vulnerabilities can cause delays or even system failures. Similarly, attempting to deploy patching on an OT system can result in compatibility issues or other unintended consequences.
As tensions grow internationally, state-sponsored attacks are being increasingly used to steal intellectual property, sensitive information, or cause damages or disruptions to physical infrastructure. According to PwC’s CEO survey, cyber risk and geopolitical conflict are ranked among the top 5 concerns for CEOs. When these two challenges are combined, a businesses risk environment is significantly elevated. As stated by PwC, “cybersecurity has become part of the arsenal in geopolitical conflicts, and attacks can be sophisticated and persistent”. This means that organizations need to monitor and assess their risks continuously in order to react quickly and effectively to remediate threats.
Compliance with regulations can be extremely complex, making it difficult for organizations to understand what is required of them and how to implement the necessary security measures. An organization's ability to adhere to regulations is also closely tied with our fourth challenge, resource constraints. Without the budget or right personnel, businesses can find it difficult to implement and maintain industry regulations — which are constantly evolving and being updated. One recent cybersecurity regulation that has emerged and proven complex for organizations to understand is the Network and Information Security Directive (NIS2). This legislation was established by the European Union (EU) to strengthen cybersecurity posture and resilience by establishing a minimum set of cybersecurity measures and reporting requirements. With its complex and technological nature, organizations can find they require significant investments in technology, staff training, or external support to meet compliance.
There are various real-world examples of the above threats affecting critical infrastructure organizations. Most notably is the NotPetya attack. This malware attack is considered to be the most costly and destructive cyberattack in history — and set precedent for a new kind of state-sponsored cyber warfare. Although Ukraine was its primary target, the attack quickly spread to over 60 other countries, paralyzing computer systems of thousands of multinational corporations. These multinational corporations were spread across various critical infrastructure sectors including healthcare, energy, and transportation. Alarmingly, NotPetya caused a record breaking $10 billion in damages, not including the collateral damage of lost goods, services, and opportunity. The attack was carried out by exploiting EternalBlue — a Windows exploit created by the U.S. National Security Agency (NSA) — to move laterally through enterprise networks, and spreading from one vulnerable system to the next. This unprecedented threat to industrial cybersecurity highlighted two major issues that allowed NotPetya to infect such a large number of OT environments:
Understanding the vulnerabilities and risks associated with your organization's XIoT is key to ensuring your devices and systems are not targets for cyber criminals. If the organization’s impacted by NotPetya had implemented exposure management strategies, and applied the known patch for EternalBlue, their operations would have not have been affected. Although this would have been an important resolution for those impacted by NotPetya, it is important to note that patching is a particularly difficult challenge for many OT devices. That’s because the legacy systems and technologies in OT environments are not designed with software updates and patching in mind. And, patching these devices can have significant operational implications, as any disruption or downtime could affect the entire system. The patching challenge is also what has made having network segmentation and compensating controls in place so crucial — which is the second issue that made NotPetya so devastating.
NotPetya was able to move rapidly across organizations’ IT and OT environments due to a lack of network segmentation. By isolating or segregating network segments, organizations impacted by NotPetya could have contained and limited the damage caused. Although patching may not always be immediately possible for OT devices, due to the challenges listed above, network segmentation allows an organization to mitigate risks by implementing compensating security measures to monitor and detect potential threats while working towards patching vulnerable devices. Without proper OT segmentation, alignment with the Purdue Model, and implementation of other best practices, organizations will continue to suffer from the lateral spread of ransomware, like NotPetya, and other malicious programs.
The NotPetya attack greatly highlighted the threat of interconnectivity, as previously “air-gapped” systems have become interconnected, allowing hackers to gain unfettered access throughout various systems. It also raised the issue of another threat, cybersecurity blind spots. Without the proper OT scanning tools, the affected organizations were completely unaware of the vulnerabilities in their environment. As a result of the attack, organizations will require a strong and resilient cybersecurity strategy, and the help of a purpose-built OT cybersecurity solution, to defend against an expanding attack surface.
We have also seen these top threats greatly affect healthcare cybersecurity. Most notably, was a ransomware attack that impacted Düsseldorf University Hospital. The ransomware is said to have been introduced to the hospital’s network through a well-known vulnerability in a Citrix application. Although the hospital insisted that it had patched this vulnerability, it still corrupted 30 servers, and forced them to announce that planned and outpatient treatments and emergency care could not occur at the hospital. Those seeking emergency care were then redirected to other hospitals, including a 78-year-old woman requiring immediate treatment. Due to the attack, her ambulance was diverted to a hospital 19 miles away, delaying her care, and tragically, she died shortly after. This incident was a warning sign to healthcare delivery organizations of the devastating effects of ransomware, and highlighted that consequences have become more than just financial damages. This attack on critical infrastructure further displayed the importance of implementing effective healthcare cybersecurity to ensure patient safety and protect medical devices.
Once you understand the top cybersecurity threats plaguing critical infrastructure organizations today, it is time to implement the following best practices to protect your business.
Cyber-physical system (CPS) connectivity has created security blind-spots and a growing attack surface that can pose risk to the availability, integrity, and safety of your environment. That's why it is essential to have a complete inventory of assets, vulnerabilities, and risks enterprise-wide to manage security and compliance posture. With an in-depth asset inventory, organizations can gain comprehensive visibility of all XIoT assets, including a full scope of identifiers and behavioral details. These details will help organizations to identify proprietary protocols that are incompatible with, and invisible to, traditional IT security tools. And, will assist in determining how legacy devices operate and communicate. This in-depth visibility can also be achieved no matter your regulatory requirements, making compliance one less cybersecurity threat you have to contend with.
Once enterprise-wide visibility is achieved, it is essential that organizations integrate their existing IT tools & workflows with OT. Many CPS use proprietary protocols and legacy systems which are incompatible with traditional IT security solutions. In many environments, traditional vulnerability scanners are unsafe, and patching is rarely permitted due to their low tolerance for downtime. With collaboration between IT and OT teams, and the right CPS security tool, organizations can safely uncover risk blind spots without endangering operations by integrating their already extensive tech stacks with a purpose-built OT security solution. This strategy will help organizations to take control of their risk environment and create further visibility across traditionally siloed teams by simply extending existing tools and workflows from IT to OT.
Unlike their IT counterparts, most XIoT environments lack essential cybersecurity controls and consistent governance. That’s because legacy systems in many XIoT environments were built with a focus on functionality and operational reliability, rather than security, as these systems were not initially intended to be connected to the internet. The rise of interconnectedness has caused these previously “air-gapped” systems to become converged with IT networks — which have not been designed to be connected and managed in the same way. The rapid adoption of digital transformation, and remote and hybrid working environments, have left security teams with a lack of awareness and understanding about the unique challenges of these newly interconnected XIoT environments. Without a dedicated security team or help form a solution that specializes in securing OT systems, organizations will suffer from a lack of consistent governance and controls. To resolve this, organizations can team up with a CPS security vendor that provides visibility into all CPS, integrates your existing IT tools and workflows with CPS and helps to extend your IT controls to the XIoT by unifying your security governance and driving all use cases on your journey to cyber and operational resilience.
Although there are several other best practices organizations can implement to protect themselves from emerging cyber threats, these three are a great jumping off point. Gaining comprehensive visibility, efficiently integrating existing IT tools and workflows with CPS, and establishing strong security controls and governance are essential to keeping up with trends and changes in a continuously evolving threat landscape. Today, it is crucial that cybersecurity parallels the impact of digital transformation as environments become increasingly interconnected and advisories become more relentless in their attacks. By understanding what threat actors are looking to exploit, and teaming up with the right CPS security vendor, organizations can successfully harden their security defenses and protect their business.
Public Exploits for MOVEit Vulnerabilities Increase Exposure
NotPetya: Looking Back Six Years Later
Interested in learning about Claroty's Cybersecurity Solutions?