Over the past several years, the world has seen an increase in the use of malware to directly and maliciously affect critical infrastructure. In 2012, a piece of malware known as Shamoon was used to overwrite the hard drives of some 30,000 computers at Saudi Aramco, the Saudi Arabian national petroleum and natural gas company. Similarly, in 2016, a malware called BlackEnergy caused disruptions to the Ukrainian electrical grid.

Another piece of malware known as DragonFly was used to target pharmaceutical firms in 2014. Symantec, a global firm specializing in cybersecurity, recently identified DragonFly 2.0, which appears to specifically target industrial control system (ICS) field devices. This malware first appeared in late 2015, but activity has significantly increased in 2017. Dragonfly 2.0 uses a variety of infection vectors to gain access to a victim’s network, including malicious emails, watering hole attacks and Trojan software. The compromised device “phones home” to a command and control server being controlled by the attackers, offering a back door to the infected device.

A group known as Advanced Persistent Threat (APT) 33 has been implicated in a series of breaches in the oil and gas industry in countries like Saudi Arabia, South Korea and the United States. According to the critical infrastructure security firm Dragos, the attacks carried out by APT33 seem focused on industrial systems, but they haven’t tailored their malware to ICS devices yet; rather, they are targeting mainstream computer operating systems.

A new series of cyberattacks using the Petya malware that began in June 2017 have affected the websites of Ukrainian organizations, including banks, ministries, newspapers and electrical utilities. This malware also infected systems in many other countries, including the United States.

To protect your organization against the above-mentioned threats to critical infrastructure security, consider these recommendations:

  • Reduce or eliminate shared accounts and password reuse. DragonFly makes extensive use of stolen credentials to compromise a network. Account management can be a good layer of defense against this type of attack. Two-factor authentication also can be a good control.
  • Use regular patching. Many of these attacks rely on vulnerabilities that have already been fixed by software vendors, but have not yet been applied to vulnerable systems. Always keep up-to-date with your security patches.
  • Perform vulnerability assessments and penetration testing. Conduct regular assessments and controlled attacks on systems to test their defenses and identify vulnerabilities.
  • Maintain security awareness. Many of the attack vectors used by these malware infections include social engineering, phishing and Trojans, which all can be effectively countered by knowledgeable employees well-trained in cybersecurity threats.

As malware continues to evolve in both sophistication and impact, so must the countermeasures available to combat it. Targeted attacks against critical infrastructure raise the stakes and require dedicated focus on the part of entities that didn’t seem vulnerable as recently as a decade ago. While cybersecurity is a constantly moving target, diligence and training are the best defense against an uncertain future. 

John Biasi is a solution architect in the Governance, Risk, Cybersecurity and Compliance Group at Burns & McDonnell. He is also an adjunct professor at the Oklahoma State University Institute of Technology. His primary focus is on protecting critical infrastructure by focusing on risk management in the context of cybersecurity and regulatory compliance. He has extensive experience directing a broad range of IT security initiatives in planning, analysis and implementation of solutions, and he has hands-on experience leading all aspects of network design on high-profile projects. He is an active participant in the NERC Security Integration and Technology Enablement Subcommittee (SITES), Smart Electric Power Alliance (SEPA) and the Utilities Technology Council (UTC), focusing on grid modernization cybersecurity and compliance. John has a bachelor's degree in information technology and a Master of Business Administration in cybersecurity management from Excelsior University.